I'm using omniauth to provide Facebook authentication facility in my ruby on rails application. I set up default expire date for cookies 20 minutes by following code:
Rails.application.config.session_store :cookie_store, key: '_rails-omniauth_session', expire_after: 20.minutes
Now I want to add "remember me" feature to my application. In that situation I want to update expire date for '_rails-omniauth_session' cookie. However, I couldn't find how to do that. I have tried some instinctive code examples but couldn't make it.
How can I update expire date set by omniauth in my application. In general term how can I add remember me facility with omniauth.
Thanks.
Related
I've noticed that after my app is deployed to Heroku the users are forced to log in again because their session cookies seem to expire.
Does anyone know what might be causing this? I'm using Devise and Rails 5.2, and my session store looks like this:
Rails.application.config.session_store :cookie_store,
key: '_example_session'
expire_after: 7.days,
domain: 'example.com'
My first suspicion was secret token might be regenerated somehow after deploy, but that doesn't seem to be case...
We have a setup in a way that currently some pages are being served by a Rails 4 app and a Rails 5 app. All the authentication logic resides in the Rails 4 app and we are using Devise for authentication. The session_store.rb on the Rails 4 app looks like this Rails.application.config.session_store :cookie_store, key: '_app_store'. I want to have the current_user accessible in the Rails 5 app as well. Note: Both the apps are under the same domain. Also how should I go about setting devise on my Rails 5 app so that current_user is accessible.
First allow cookie to apply for all of your subdomains:
Rails.application.config.session_store :cookie_store, key: '_app_store', domain: :all
When the browser accesses a website, the website tells the browser to set a cookie. When this happens, it specifies the cookie name, value, domain, and path.
:domain => :all makes a dot in front of the cookie domain (which is whatever host your browser has browsed to), so the cookie applies to all subdomains.
Another good thread about this topic can be found here:
https://stackoverflow.com/a/4065929/1625253
I am working on a Rails app that recently went through a security audit, and one of the issues they came up with is that if the user gets the "session_id" from another users cookie, he is able to log in as that user. Is it possible to prevent this? How would I do it with my current setup?
Rails 3.2.12
devise (2.1.2)
My config/initializers/session_store.rb is
MyApp::Application.config.tap do |config|
config.session_store :active_record_store, config.session_options
end
Force SSL is enabled on production
config.force_ssl = true
I looked at Rails 4 Encrypted Cookie Replay Attack but since mine is using active record for sessions, not sure I can do the same.
I tried to add :session_limitable from Devise security extension, but it appears to be doing something else altogether.
To quote the security test result
Mitigate session replaying by ensuring that only 1 login is active at a time. -- able to login as another user just by changing the "_session_id" cookie
In Rails 4 is it possible to set a (far) expiration date for a session so that it is persistent?
I know it is possible for cookies, so, given that sessions are based on cookies, I would like to change the expiration date. How to set that for a single session and how to configure the environment for all sessions?
P.S. I want to use sessions instead of cookies because in Rails are secure by default.
Aware of possible security implications, here's the solution I found:
# config/initializers/session_store.rb
MyApp::Application.config.session_store :cookie_store, :expire_after => 1.year
I am trying to integrate twitter into devise using this guide. I basically take all occurence of facebook and substitue it with twitter. However, when I sign in with twitter, I am getting the following error:
ActionDispatch::Cookies::CookieOverflow (ActionDispatch::Cookies::CookieOverflow):
at the following url:
http://localhost:3000/users/auth/twitter/callback?oauth_token=something&oauth_verifier=blah
Is there any nice way to get around fixing this problem?
Thanks!
The problem is with session["devise.facebook_data"] = env["omniauth.auth"]. Twitter's response contains an extra section that is very large and does not fit in the session. One option is to store env["omniauth.auth"].except("extra") in the session instead.
You can turn on ActiveRecord store for session.
Look in config/initializers/session_store.rb
comment out the line about using :cookie_store
uncomment the lines at the bottom about using :active_record_store
# Use the database for sessions instead of the cookie-based default,
# which shouldn't be used to store highly confidential information
# (create the session table with "rails generate session_migration")
MyApp::Application.config.session_store :active_record_store
Create migration before rails rails g session_migration and migrate it.