search

rubycas / rubycas-client

Ruby client for Yale's Central Authentication Service protocol -- an open source enterprise single sign on system for web applications.
http://code.google.com/p/rubycas-client/
Other
332 stars 217 forks source link

CAS client occupies almost all session storage space (cookie overflow) #37

Closed batizhevsky closed 12 years ago

batizhevsky commented 12 years ago

http://code.google.com/p/rubycas-client/issues/detail?id=42

What steps will reproduce the problem?

  1. Clean Rails app + rubycas client set up as a before filter on some controller.
  2. In /etc/rubycas/config.yml - SQL authenticator + 2-3 varchar(255) columns containing about a hundred characters each. These 2-3 columns are returned as extra attributes.
  3. Login via CAS login window.

What is the expected output? What do you see instead? Expected output is normal behavior, instead I see an exception about cookie overflow.

What version of the product are you using? On what operating system? Rails 3, Ruby 1.9.2 (via RVM), rubycas-client installed as a plugin.

Please provide any additional information below.

When using cookie storage for sessions (Rails defailt), rubycas-related info occupies more than 3K of it (and 4K is the limit). That's how we get CookieOverflow exception after adding a couple of strings to extra attributes.

To see how much session storage is occupied:

  1. switch to db session storage:
    • config/initializers/session_store.rb: Rails.application.config.session_store :active_record_store
    • rake db:sessions:create;
    • rake db:migrate;
  2. log in into the app using CAS;
  3. From the rails console:
    • rails c;
    • s = ActiveRecord::SessionStore::Session.first;
    • ActiveRecord::SessionStore::Session.marshal(s.data).length;
  4. What is actually taking most of the storage space:

ActiveRecord::SessionStore::Session.marshal(s.data["cas_last_valid_ticket"].response.xml).length

Current solution: switched to db session storage.

Possible solutions:

A) maybe it is possible to store some key attributes in the session and re-create ServiceTicket from them instead of storing the whole object in session;

B) use compression for xml.

soupmatt commented 12 years ago

what version of rubycas-client are you using? We fixed a lot of the session storage problems a while ago.

batizhevsky commented 12 years ago

Sorry I do not find info about this. I use 2.2.1 because rubycas-client-rails require it.

soupmatt commented 12 years ago

I think if you use master of rubycas-client-rails, you can update rubycas-client to the 2.3 series. Eventually, rubycas-client-rails is going to get some love, but it'll be some time still.