I have a Rails 6.1 app. I store a session variable for excluded notifications. A user can disable a notification and the specific notification is stored in a session variable.
This setup works fine for desktop. However when using opening the website using an Android device the created session cookie does not persist after closing the browser. So everytime a user closes the browser and reopens it, a new session cookie is created.
The issue is not related to a specific browser and happens on mobile browsers.
I store other cookies that do persist
The setup is a follows:
Store session key in controller:
session[:disabled_notices] ||= []
session[:disabled_notices] << params[:notice]
Check if notice if notice is excluded from session variable in view:
session[:disabled_notices].exclude?(notice_name)
session_store.rb
Rails.application.config.session_store :cookie_store, key: '_iftf_session', domain: :all
Does anyone have any idea what could cause this problem? Thank you for your help!
A session cookie is deleted when a browser is closed unless the browser has a session restore feature enabled. That's why they are called session cookies. Not all browsers have this feature enabled.
Try storing this setting in a separate persistent cookie (a cookie with a Max-age attribute set).
https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#define_the_lifetime_of_a_cookie
Related
In my app I need to implement next feature: when user logged-in in the app, it (the app) needs to save cookies (or any other data) for certain website to mobile Safari. The goal is to not make user log-in next time when he will open that website in Safari.
Documentation says that it can't be done on iOS using cookies. Does anybody know any other solution? Required feature of implementation is to make it 'silently' to user, without opening Safari.
UPDATE
Is it possible to access app data from mobile Safari and get some callback? For example when user browses website the site sends some callback to the app and gets some response with user' data.
Old question, but could you open Safari to a special one-time URL from your app which takes user to a page which you host, passing a token which you retrieve from API on same server, with page then validating token and setting cookie? That way authorization is handled on server, and server can set the cookie in the response.
You could do something like this in your app
[[UIApplication sharedApplication] openURL:[NSURL URLWithString:#"https://myhost.com/myhandler?token=PX2G16BWFKZBQWUKGF3BGRY2Z6BEJ7Z3PMO2GZ6S3R00JVWBVEO6VWBEXNK14IBJ5GKAY5EKBLAHNSAJ8"]];
Then page at myhost.com/myhandler would read and validate token, and set cookie on response, and then invalidate the token. You could also add a time limit for how long the token could be used.
You can't access the safari cookies.
Safari's cookies are not accessible from other apps. Each app is given
its own WebKit cache and cookie stores, so while cookies will persist
within the same app, they aren't accessible between apps.
I have been using the devise gem for authenticating my rails app for some time now, and I just began to wonder how the current_user works
How does devise saves the current_user?
Browser session?
Application session?
Some other parts of the Application?
I am suspecting that the answer is number one Browser session. Reason being that even when an app gets restarted, and you try to access the app again from a browser that has been used to sign in already, it automatically signs you in.
My confusion though is this: If it is the browser session, it means that when the browser relaunches ( the session was ended ) current_user should be expired, and the user signed out; but it does not work so.
So, how does the current_user operates? thanks for all contributions.
current_user works by storing id of current user in the application session. Most commonly session is stored in cookies. Whether or not the cookies survive browser restart depends on client's browser settings.
If you have clicked remember_me it stores a signed token unique to user in a permanent cookie and stores it in browser. It is saved in database also.
When current_user is called again , rails checks if the permanent cookie exists, if so compares it with the one in database. If they are the same , you are logged in as that user.
I am using devise in my rails app. There is an ipad app that connects to the this rails app and authentication is done using token. (devise token_authenticatable).
For sessions, I using the default cookie store. My session_stor.rb looks like this,
Ap::Application.config.session_store :cookie_store
Now say I need to store minor data for the ipad user in session, where is it stored? Say in my controller I am doing,
session['last_search'] = search_key_word
Where is this data stored? I am asking this because on cookie based session store, usually session data is stored in browser. I couldn't find any resource that explains what happens in case of a non browser client that uses token for authenticatication.
I suggest saving the history locally in the iPad's app itself. You can create a table "search_history" that stores the recent 10 keywords. Or you may cache it if you want (also on the client side).
I'm creating an app that connects to a website, and I don't want the user to need to enter their user credentials every time the app loads. The website returns a session cookie (no expiry date set). Is there any problem with me holding on to that cookie indefinitely? If I just reload it when the app starts, it seems to work.
Thanks!
Each application has its own cookie store. So if there is no expiration on the cookie, and you don't delete it, and the app isn't deleted, then there's no problem with using it for as long as you like.
EDIT Here are some links for more opinions and insight:
Persisting Cookies In An iOS Application?"
iPhone: NSHTTPCookie is not saved across app restarts
My opinion on the matter is that the mobile environment is fundamentally different from the desktop environment. "Quitting" a mobile application is in no way similar to quitting a desktop application. Quitting a mobile application is similar to switching focus on a desktop. You would not expect to re-authenticate every time you pressed Cmd-Tab.
Limiting the life of session tokens is a valuable security precaution, but is correctly implemented on the server side, not the client side. If the server is designed to allow a session to persist indefinitely (because the desktop app is never quit), then there is no reason to not continue the session on a mobile platform in a similar way.
Note that there are other solutions, such as storing the user credentials in keychain so that you can reuse them. This is appropriate in many cases, but it actually is a lower-security solution than persisting the session token indefinitely. If you're going to hold onto an authentication credential forever, it's better that it be a single-purpose token (i.e. a session cookie) rather than a multi-use username and password.
There is no problem in you allowing this cookie to be set, each application has a cookie store from which you can if you need to check the cookies, however I assume that since this is only a session cookie, you will only need to allow it's existence and let the user leverage the web service until such time the user logs out.
I have done this with some of my apps also.
Good luck.
I have given the following command in my environment.rb
ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS[:session_key] = 'sessionname'
I want my application to expire to some dynamic value which i get from user.
Once the session time which user gives me lapses, i want to remove all the cookies.
I could expire all cookies other than the one above i.e sessionname
This holds the session id and this is the main cookie i want to expire.
Could some one suggest a solution?
it's not good idea to expire session key as it will disrupt users from working with your application
i'd suggest you to have a separate permanent_session_id in cookies which you generate manually upon login and store with expiration time. then use that cookie to log users in if session does not exist.
such approach will allow users to stay logged in while using application and be logged out automatically if permanent_cookie_id is expired after restarting session.