During the great discussion that followed, one of the group pointed out that production logging is at the :info level and that's not good -- information entered into the site is stored in clear text and therefore not as secure as it should be (people still have to hack the site, but obviously that's not good enough).
So I set about closing this loophole and also getting the sessions out of file storage and into the database where they are protected via password.
This should have been simple and easy, but it turned out to be really tricky: an example of things not being exactly what they seem to be. Here's the deal.
I had previously updated my environment.rb file to customize the logger, having found this code snippet at snippets.com.
config.logger = Logger.new("#{RAILS_ROOT}/log/#{ENV['RAILS_ENV']}.log",2, 131072)
For some reason I couldn't get it to work as I reported in an earlier post. I had finally gotten it to work (I think it may have had to do with restarting my server, but it's unclear) and life was good: I had smaller logs and didn't have to wait so long for it to load when I was doing some testing.
However, what I found was that -- once this new logger was running -- I couldn't change the logging level (normally done with config.log_level in environment.rb or environments/production.rb). I wanted a logging level of :error (instead of :info) so that the operation of the site wasn't so readily stored. I tried a number of things, including the following code in environment.rb:
if ENV['RAILS_ENV'] == 'production'
config.log_level = :error
else
config.log_level = :debug
end
but that didn't work... things kept getting logged at the :info level in production -- definitely not good.
I also tried setting it with config.logger.log_level = :error but that didn't seem to work either.
I finally -- after much futzing around -- decided simply to remove the new Logger snippet and see if that would do the trick: and it did. Now I can set the logging level in production (in the environments/production.rb file) with a simple config.log_level = :error.
Someday I'll go back and try to understand what happened. For now, the system is operating the way I want it to and I've moved the config.logger snippet to my environments/development.rb file so that I have that capability in development where I really need it.
Fortunately, the sessions question was as easy as 1-2-3:
1. Run the command:
rake db:sessions:create
2. Run the migration:
rake db:migrate
3. Change the production.rb file:
config.action_controller.session_store = :active_record_store
and we're in business!
This is really an analogy for my experience with Rails: some of it is subtly obscure and challenging (like the Logger situation), while some of it is wonderfully intuitive and easy (like the Sessions situation).
Let's hear it for more of the latter!
“However, what I found was that -- once this new logger was running -- I couldn't change the logging level (normally done with config.log_level in environment.rb or environments/production.rb).”
ReplyDeleteconfig.logger is a Ruby standard library Logger object. Your desired log level is set this way:
config.logger.level=Logger::ERROR
instead of config.log_level = :error.
See Logger docs and Rails intestines in railties/lib/initializer.rb for more info.