Merge remote-tracking branch 'origin/improves-sessions-storing-security-2pr02g9' into dev

Gemfile

@@ -144,3 +144,5 @@ gem 'tzinfo-data'
 
 # compilation of dynamic stylesheets (home page & theme)
 gem 'sassc', '= 2.1.0'
+
+gem 'redis-session-store'

Gemfile.lock

@@ -351,6 +351,9 @@ GEM
       activesupport
       i18n
     redis (4.6.0)
+    redis-session-store (0.11.4)
+      actionpack (>= 3, < 8)
+      redis (>= 3, < 5)
     regexp_parser (2.5.0)
     repost (0.3.2)
     responders (2.4.1)
@@ -542,6 +545,7 @@ DEPENDENCIES
   rails_12factor
   rb-readline
   recurrence
+  redis-session-store
   repost
   responders (~> 2.0)
   rolify

config/initializers/session_store.rb

@@ -2,6 +2,14 @@
 
 # Be sure to restart your server when you modify this file.
 
-Rails.application.config.session_store :cookie_store,
+redis_host = ENV['REDIS_HOST'] || 'localhost'
+
+Rails.application.config.session_store :redis_session_store,
+                                      redis: {
+                                        expire_after: 14.days,  # cookie expiration
+                                        ttl: 14.days,           # Redis expiration, defaults to 'expire_after'
+                                        key_prefix: 'fabmanager:session:',
+                                        url: "redis://#{redis_host}:6379",
+                                      },
                                        key: '_Fab-manager_session',
                                        secure: (Rails.env.production? || Rails.env.staging?) && !Rails.application.secrets.allow_insecure_http