[IMP] shopinvader_session auto-update

[acsonefho]

Context Into the main Controller (controllers.main:InvaderController), we have a function named _get_shopinvader_session_from_headers(...) who is used to load some parameters from headers into the current shopinvader_session. If a sub-module want to add another value into the shopinvader_session, we have to inherit this function and add customs keys.

My question As we always/most of the time have to load header's keys who start with "HTTP_SESS_", it is possible to load every headers keys who start with this "HTTP_SESS_". So if one day the locomotive part (for example) is updated and session values doesn't start anymore by "HTTP_SESS_", we have to update every modules to match with the new key. If we have this automatic load, we can just update the basic shopinvader module and we don't have to inherit this function (_get_shopinvader_session_from_headers(...)) into each modules.

Related questions

• Is it safe to do it (code injection etc)?
• Is it safe to load every session values (even if not needed)?
• Others consequences that I forget?

[acsonefho]

@sebastienbeau @Cedric-Pigeon @lmignon What do you think about this?

[lmignon]

@acsonefho IMO we should find a better way to manage session information and no more rely on http headers.

[rvalyi]

best reading I know on the subject https://guides.rubyonrails.org/security.html

[simahawk]

still valid?