In Rails 4 is it possible to set a (far) expiration date for a session so that it is persistent?
I know it is possible for cookies, so, given that sessions are based on cookies, I would like to change the expiration date. How to set that for a single session and how to configure the environment for all sessions?
P.S. I want to use sessions instead of cookies because in Rails are secure by default.
Aware of possible security implications, here's the solution I found:
# config/initializers/session_store.rb
MyApp::Application.config.session_store :cookie_store, :expire_after => 1.year
Related
In Rails, the default for storing the session is using cookie_store.
Application.config.session_store :cookie_store, key: '_myapp_session'
But sometimes, the session is stored in a database, like Redis.
Application.config.session_store(
:redis_store,
servers: config.redis_server,
key: '_myapp_sessions',
)
When should we use the cookie store and when should we use a database?
When you need to store more than 4KB of data in your session.
When you need more control over expiring sessions. Here are two examples where you might need this kind of control:
If you make a change to your app that requires new information to be in the session or there is a security breach and you need to expire all sessions so that all users need to sign in again, it is much easier if the sessions live in a database vs needing to change the secret_key_base to invalidate cookie_store sessions.
A Maintained Session is where an attacker keeps a session alive indefinitely. The problem is mentioned here https://guides.rubyonrails.org/security.html#session-expiry If you want to protect against a Maintained Session this is easily done using a database by setting a created_at attribute on the session and not with a cookie_store session because it gets re-created with each request.
If your rails app running on a cluster(multiple servers) environment or session data goes beyond 4KB(cookie store has the limit of 4KB memory) then use Redis or any other database.
I'm using omniauth to provide Facebook authentication facility in my ruby on rails application. I set up default expire date for cookies 20 minutes by following code:
Rails.application.config.session_store :cookie_store, key: '_rails-omniauth_session', expire_after: 20.minutes
Now I want to add "remember me" feature to my application. In that situation I want to update expire date for '_rails-omniauth_session' cookie. However, I couldn't find how to do that. I have tried some instinctive code examples but couldn't make it.
How can I update expire date set by omniauth in my application. In general term how can I add remember me facility with omniauth.
Thanks.
when creating a session in Redmine
config/application.rb
config.session_store :cookie_store, :key => '_redmine_session'
how long does the default session last?
and how do i change the default length? (for example to last one hour)
Redmine stores session data in a cookie (as is the default in Rails apps in general). As such, there is no actual session data stored on the server.
The session data in the cookies are cryptographically signed in a way that actual end users can not change them. However, the information is visible to them which means that you shouldn't store sensitive (or large amounts of) data in there.
Coincidentally, this is also why you need to create the session secret when you first install Redmine. It is used to sign the cookie and to ensure that the data wasn't tampered with.
For Time Setting Check this https://github.com/redmine/redmine/blob/master/config/settings.yml
I just get started to learn things in ruby on rails.
In rails, how can I expire a session with a specified session session_id?
Or is it a not recommended approach in ruby on rails?
Thanks in advance.
Not recommended. Its self controlled according to user login and logout but there are requirements and special cases.
If you really want to do after certain intervals: setting-session-timeout-in-rails.
For specific expiration date you can use session cookie as: Session Cookie.
I'm not very experienced with the parts of Rails that are not on the surface.
All I want is to have a session cookie that has the expiration set to session so it expires when the user leaves their browser or whatever. As a security measurement.
By default the cookie is a session cookie.
You have complete control over the cookie by providing an options hash in config/initializers/session_store.rb . The options are the same as to Rack::Session::Cookie(see docs). So for example, for a specific expiration date you can provide :expire_after .
If you're using Devise, and rememberable strategy, then there's another cookie which can be used in order to retrieve the user.
You can configure it. Take a look at these links
https://stackoverflow.com/a/1232216/1160106
https://stackoverflow.com/a/5861018/1160106