From db0f8d5c7852a012eff7ce8c885e04218b6fdfe1 Mon Sep 17 00:00:00 2001
From: Jordan Owens <jkowens@gmail.com>
Date: Thu, 4 Aug 2016 10:05:02 -0400
Subject: [PATCH] Add session_store setting

---
 README.md             | 59 ++++++++++++++++++++++++++++---------------
 lib/sinatra/base.rb   |  2 +-
 test/settings_test.rb |  5 +++-
 3 files changed, 44 insertions(+), 22 deletions(-)

diff --git a/README.md b/README.md
index 8cf20bf1..127d2573 100644
--- a/README.md
+++ b/README.md
@@ -75,6 +75,7 @@ pick up if available.
     * [Filters](#filters)
     * [Helpers](#helpers)
         * [Using Sessions](#using-sessions)
+        	* [Choosing Your Own Session Middleware](#choosing-your-own-session-middleware)
         * [Halting](#halting)
         * [Passing](#passing)
         * [Triggering Another Route](#triggering-another-route)
@@ -1377,25 +1378,6 @@ get '/:value' do
 end
 ```
 
-Note that `enable :sessions` actually stores all data in a cookie. This
-might not always be what you want (storing lots of data will increase your
-traffic, for instance). You can use any Rack session middleware: in order to
-do so, do **not** call `enable :sessions`, but instead call `set
-:sessions` with your middleware of choice passed in as the value for
-`:session_store` along with any other options:
-
-```ruby
-set :sessions, :session_store => Rack::Session::Pool, :expire_after => 2592000
-
-get '/' do
-  "value = " << session[:value].inspect
-end
-
-get '/:value' do
-  session['value'] = params['value']
-end
-```
-
 To improve security, the session data in the cookie is signed with a session
 secret. A random secret is generated for you by Sinatra. However, since this
 secret will change with every start of your application, you might want to
@@ -1419,6 +1401,40 @@ domain with a *.* like this instead:
 set :sessions, :domain => '.foo.com'
 ```
 
+#### Choosing Your Own Session Middleware
+
+Note that `enable :sessions` actually stores all data in a cookie. This
+might not always be what you want (storing lots of data will increase your
+traffic, for instance). You can use any Rack session middleware: in order to
+do so, one of the following methods can be used:
+
+```ruby
+enable :sessions
+set :session_store, Rack::Session::Pool
+```
+
+Or to enable sessions with a hash of options:
+
+```ruby
+set :sessions, :expire_after => 2592000
+set :session_store, Rack::Session::Pool
+```
+
+Another option is to **not** call `enable :sessions`, but instead pull in your
+middleware of choice as you would any other middleware:
+
+```ruby
+use Rack::Session::Pool, :expire_after => 2592000
+```
+
+It is important to note that when using this method, session based protection (see 'Configuring attack protection') will not be enabled by default. The Rack middleware to do that will also need to be added:
+
+```ruby
+use Rack::Session::Pool, :expire_after => 2592000
+use Rack::Protection::RemoteToken
+use Rack::Protection::SessionHijacking
+```
+
 ### Halting
 
 To immediately stop a request within a filter or route use:
@@ -2099,7 +2115,7 @@ set :protection, :except => [:path_traversal, :session_hijacking]
 ```
 
 By default, Sinatra will only set up session based protection if `:sessions`
-has been enabled.
+have been enabled. See 'Using Sessions'.
 
 ### Available Settings
 
@@ -2230,6 +2246,9 @@ has been enabled.
     See 'Using Sessions' section for more information.
   </dd>
 
+  <dt>session_store</dt>
+  <dd>The Rack session middleware used. Defaults to <tt>Rack::Session::Cookie</tt>. See 'Using Sessions' section for more information.</dd>
+
   <dt>show_exceptions</dt>
   <dd>
     Show a stack trace in the browser when an exception happens. Enabled by
diff --git a/lib/sinatra/base.rb b/lib/sinatra/base.rb
index 5028fa07..a8c49531 100644
--- a/lib/sinatra/base.rb
+++ b/lib/sinatra/base.rb
@@ -1709,7 +1709,6 @@ module Sinatra
         options = {}
         options[:secret] = session_secret if session_secret?
         options.merge! sessions.to_hash if sessions.respond_to? :to_hash
-        session_store = options.delete(:session_store) { Rack::Session::Cookie }
         builder.use session_store, options
       end
 
@@ -1782,6 +1781,7 @@ module Sinatra
     set :dump_errors, Proc.new { !test? }
     set :show_exceptions, Proc.new { development? }
     set :sessions, false
+    set :session_store, Rack::Session::Cookie
     set :logging, false
     set :protection, true
     set :method_override, false
diff --git a/test/settings_test.rb b/test/settings_test.rb
index 4843cd19..88c2297b 100644
--- a/test/settings_test.rb
+++ b/test/settings_test.rb
@@ -567,7 +567,10 @@ class SettingsTest < Minitest::Test
 
     it 'sets up RemoteToken if sessions are enabled with a custom session store' do
       MiddlewareTracker.track do
-        Sinatra.new { set :sessions, :session_store => Rack::Session::Pool }.new
+        Sinatra.new {
+          enable :sessions
+          set :session_store, Rack::Session::Pool
+        }.new
         assert_include MiddlewareTracker.used, Rack::Session::Pool
         assert_include MiddlewareTracker.used, Rack::Protection::RemoteToken
       end