I just get started to learn things in ruby on rails.
In rails, how can I expire a session with a specified session session_id?
Or is it a not recommended approach in ruby on rails?
Thanks in advance.
Not recommended. Its self controlled according to user login and logout but there are requirements and special cases.
If you really want to do after certain intervals: setting-session-timeout-in-rails.
For specific expiration date you can use session cookie as: Session Cookie.
Related
I want to store a non-critical non-confidential piece of information in the user's session in a Ruby on Rails app. The user model is set up with Devise. How do I do this? Various guides give conflicting and incomplete information about it. session[:foo]? user_session[:foo]? Do I need to set something up to be able to use whichever it is - e.g. get a gem, config something, or insert any lines before setting the session variable?
To provide context - the user may be creating multiple new items back-to-back, so it would be nice if the new form remembered and pre-selected the category based on what they selected previously. If there's a better way to do this, I'm open to suggestions. I'm new to all this. Thank you!!
Are session variables in 'session' or 'user_session' in Rails?
The simple answer is the session variables is named session.
A session usually consists of a hash of values and a session id, usually a 32-character string, to identify the hash. Every cookie sent to the client's browser includes the session id. And the other way round: the browser will send it to the server on every request from the client. In Rails you can save and retrieve values using the session method:
session[:cat_id] = cat_id
Category.find(session[:cat_id])
You can read this Rails Guide about session.
ActionDispatch::Session::CookieStore
The default Rails session object is accessible via the session helper method. It gives you an access to some chunks of data and is bound to a cookie value stored in your browser.
The user_session helper is provided by the Devise gem. It gives you additional security by restricting access to specific session data while user is authenticated on a server.
As I understand one of the strategies to store sessions is store it in the cookie. There is one thing I don't understand from the docs:
To prevent session hash tampering, a digest is calculated from the
session with a server-side secret and inserted into the end of the
cookie.
What does this mean? How do they prevent that, if I get a cookie from another user, and I use it in my browser, I can't pretend I am the other user? I guess I don't understand what session hash tampering means.
How do they prevent that, if I get a cookie from another user, and I
use it in my browser, I can't pretend I am the other user?
This is called session hijacking, and is covered in http://guides.rubyonrails.org/security.html#session-hijacking. The recommended way to to mitigate this is by "always forcing SSL connection in your application config file", like so:
config.force_ssl = true
The whole http://guides.rubyonrails.org/security.html is definitely worth a read, for more goodness like this.
I have an rails app which relies on authenticating username/password entered to an external webservice. Rails app will not have a user model. When a user enters login/password and it makes a post request to check that login/password. External application will return back a cookie or token which can be used for subsequent requests made from rails app.
There is no User model in the rails app since all the users are stored in an external application.
Is there a gem which let me strictly do session management? I'm planning on storing that token in a session.
why not just create a sessions controller that saves the token into a session? I don't see a need for a gem.
something like
sessions[:token] = token
If you are dealing with a tokens that expire like facebook you can take a look at this
http://developers.facebook.com/blog/post/2011/05/13/how-to--handle-expired-access-tokens/
hope it helps
I might look at the way Michael Hartl does user sessions in his Rails tutorial. What you want is something slightly different, but you might be able to reuse some of what he did there. http://ruby.railstutorial.org/chapters/sign-in-sign-out#sec-current_user
(It's also just a good tutorial to go through, regardless of your level of Rails experience.)
I have a question about sessions on ruby-on-rails.
We have a several options about session storage such as cookie, active_record_store, etc..
I primarily use the cookie storage, but, there are some client which doesn't support cookie function. In that case, I have to make that client to use the "active_record_store".
My rails version is 2.3.5.
I found out that even though I use the active_record_store, the cookie is still available.
In my situation, both session storage might be available.
So, I want to make the framework to primarily use the cookie, when the cookie is available.
On the other hand, the client doesn't support the cookie, secondly to use the active_record_store.
I think this function requires some override to the framework, but I don't know how to do it.
Do you have any idea for that?
Thank you very much in advance.
If your client can't stock cookie, you can't have a session_store. Even in active_record.
The session system know which session you have with save session_id in cookie. So if your client refuse cookie. You can't have session system.
But your can hack a little to make a system where the cookie store is pass in URL params.
I'd like to add something like the "remember me" option into a Rails application and I need to create a persistent session that doesn't expire when the user closes his browser.
The only solution I found right now is to use a plugin:
http://blog.codahale.com/2006/04/08/dynamic-session-expiration-times-with-rails/
Are there any other (better) solutions?
Use cookies and set the expiration to a date very far into the future.
Take a look at how technoweenie's restful authentication does it.
Particularly line 122 of the generator which allows login from a cookie.