CAS client occupies almost all session storage space (cookie overflow)

[GoogleCodeExporter]

> What steps will reproduce the problem?
1. Clean Rails app + rubycas client set up as a before filter on some 
controller.
2. In /etc/rubycas/config.yml - SQL authenticator + 2-3 varchar(255) columns 
containing about a hundred characters each. These 2-3 columns are returned as 
extra attributes.
3. Login via CAS login window.

> What is the expected output? What do you see instead?
Expected output is normal behavior, instead I see an exception about cookie 
overflow.

> What version of the product are you using? On what operating system?
Rails 3, Ruby 1.9.2 (via RVM), rubycas-client installed as a plugin.

> Please provide any additional information below.

When using cookie storage for sessions (Rails defailt), rubycas-related info 
occupies more than 3K of it (and 4K is the limit). That's how we get 
CookieOverflow exception after adding a couple of strings to extra attributes.

To see how much session storage is occupied:
1. switch to db session storage:
 - config/initializers/session_store.rb:
 Rails.application.config.session_store :active_record_store
 - rake db:sessions:create;
 - rake db:migrate;

2. log in into the app using CAS;
3. From the rails console:
 - rails c;
 - s = ActiveRecord::SessionStore::Session.first;
 - ActiveRecord::SessionStore::Session.marshal(s.data).length;

4. What is actually taking most of the storage space:

ActiveRecord::SessionStore::Session.marshal(s.data["cas_last_valid_ticket"].resp
onse.xml).length

Current solution: switched to db session storage.

Possible solutions: 

A) maybe it is possible to store some key attributes in the session and 
re-create ServiceTicket from them instead of storing the whole object in 
session;

B) use compression for xml.

Original issue reported on code.google.com by valentin...@gmail.com on 1 Feb 2011 at 4:33

[GoogleCodeExporter]

I have the same issue, and the problem with switching to db session storage is 
when you try and access the extra_attributes with an ldap query, you can no 
longer access the string as YAML.  I am sure there is a workaround for that 
too, but it would be nice to have a better solution for this.  I am going to 
look around in the code, but I am pretty new to rails, so im not sure I can 
help much.

Original comment by tobyjoi...@gmail.com on 28 Jun 2011 at 5:16

[GoogleCodeExporter]

Yeah I don't think we should be storing the whole 'last_valid_ticket' in the 
session. It's probably unnecessary. I'll see about getting that removed.

Original comment by matt.zuk...@gmail.com on 28 Jun 2011 at 7:03

• Changed state: Accepted
• Added labels: Type-Defect, Priority-High

[GoogleCodeExporter]

Original comment by matt.zuk...@gmail.com on 28 Jun 2011 at 7:04

• Changed title: CAS client occupies almost all session storage space (cookie overflow)