Reputation: 317
rails rack-protection usage, error "you need to set up a session middleware *before* Rack::Protection::SessionHijacking"
i tried to use the gem rack-protection, i followed the usage guide to configure the "config.ru" file. when i try to run the app again i got this ERROR "you need to set up a session middleware before Rack::Protection::SessionHijacking".
# config.ru
require 'rack/protection'
use Rack::Protection
run MyApp
By take the code from reply:
module YouApp
class Application < Rails::Application
config.middleware.use Rack::Protection::SessionHijacking
i put this into my application.rb and still getting the Internal Service Error you need to set up a session middleware before Rack::Protection::SessionHijacking
Here is the output of rake middleware:
use Rack::MiniProfiler
use ActionDispatch::Static
use Rack::Lock
use #<ActiveSupport::Cache::Strategy::LocalCache::Middleware:0x007f9482a28910>
use Rack::Runtime
use Rack::MethodOverride
use ActionDispatch::RequestId
use Rails::Rack::Logger
use ActionDispatch::ShowExceptions
use ActionDispatch::DebugExceptions
use ActionDispatch::RemoteIp
use ActionDispatch::Reloader
use ActionDispatch::Callbacks
use ActiveRecord::ConnectionAdapters::ConnectionManagement
use ActiveRecord::QueryCache
use ActionDispatch::Cookies
use ActiveRecord::SessionStore
use ActionDispatch::Flash
use ActionDispatch::ParamsParser
use ActionDispatch::Head
use Rack::ConditionalGet
use Rack::ETag
use ActionDispatch::BestStandardsSupport
use Warden::Manager
use Rack::Protection::SessionHijacking
use MetaRequest::Middlewares::MetaRequestHandler
use MetaRequest::Middlewares::Headers
use MetaRequest::Middlewares::AppRequestHandler
use OmniAuth::Strategies::Twitter
use OmniAuth::Strategies::Facebook
run Myapp::Application.routes
Appreciate for anyone can help and thanks for your time.
Upvotes: 4
Views: 1752
Answers (2)
Reputation: 8734
Building on the answer of @dip00dip,
Do this:
# config/application.rb
config.middleware.use Rack::Protection
Don't use config.ru. This is the way recommended in the Rails Guides to use Rack Middleware. http://guides.rubyonrails.org/rails_on_rack.html#configuring-middleware-stack
Upvotes: 2
Reputation: 441
Step 1 is to exclude SessionHijacking middleware from the Rack::Protection pack:
# config.ru
require 'rack/protection'
use Rack::Protection, :except => :session_hijacking
...
run YourApp
This will solve the problem - but I will assume you really want this Anti-hijacking feature:
Step 2. Add the middleware inside Rails application.rb
module YouApp
class Application < Rails::Application
config.middleware.use Rack::Protection::SessionHijacking
...
In this way you will make it load after rails own session middleware - ActionDispatch::Session::CookieStore.
You can check the result by running rake middleware
Upvotes: 4
Related Questions
- TypeError - can't quote Rack::Session::SessionId
- Rack custom middleware giving error "ActionDispatch::Http::Parameters::ParseError"
- "No such middleware to insert before: Rack::Lock (RuntimeError)" after upgrading to Rails 4
- How to add rack middleware to rails app from gem
- No secret option provided to Rack::Session::Cookie warning?
- Rails 3 + Passenger: Rack error
- Rails 3: How to declare Rack middleware in application.rb
- Rack::Auth::Basic destroying session (log out)
- Access Rails 3 Session from Rack?
- How to use rack middleware with Rails3?