My sessions seem to never expire, even though I configured my session_store.rb file to have this code:
Barcadia::Application.config.session_store :cookie_store,
:key => '_barcadia_session',
:expire_after => 15.minutes
I want users to have to re-login if they have been idle for more than 15 minutes. I am using rails 3.2 and I've tried both cookie_store and active_record_store... Nothing seems to work.
The only thing i see missing are the brackets:
Barcadia::Application.config.session_store :cookie_store, {
:key => '_barcadia_session',
:expire_after => 15.minutes
}
Some::Application.config.session_store :active_record_store, {
expire_after: 24.hours,
}
this worked for me
Related
I'm new at Ruby/Rails, and I've got some questions about session mechanism in Rails and about sessions as a whole.
I've read that session mechanism in Rails 4 uses cookies as a
default store. Is it true?
As I know, sessions are destroyed after
closing a browser. Can I change time of expiration manually?
Thanks in advance.
Yes, sessions are stored in a cookie by default. If you look under config/initializers/ you will find a session_store.rb file with the following contents.
Appname::Application.config.session_store :cookie_store, key: '_appname_session'
As far as overriding this behaviour, you can create a custom cookie and set its expiration date to the time you want. Generally that's how user sessions are handled when creating authentication. For example:
def sign_in(user)
cookies[:session_token] = { value: user.session_token, expires: 1.day.from_now }
self.current_user = user
end
Then you use that cookie to persist the user session.
you can set timeout using expire_after in initializer
My::Application.config.session_store :active_record_store, {
key: "session_id",
domain: "domain.com",
expire_after: 12.hours,
}
Yes
Yes
Both of these things can be set in config/initializers/session_store.rb. E.g.:
MyApp::Application.config.session_store :cookie_store,
:key => '_my_app_session',
:expire_after => 30.minutes
In myapp/config/initializers/session_store.rb, I have the following:
Myapp::Application.config.session_store :cookie_store, :key => '_myapp_session', :domain => :all
The :key option sets the name to use for the cookie, and :domain => :all says that the cookie can be shared across subdomains.
Now I want to move to using ActiveRecord to store the session. If I do this:
Myapp::Application.config.session_store :active_record_store
... although the session is stored in the database, there is still, of course, a cookie. But I no longer have control over its name or scope.
How can I use ActiveRecord store for the session and still specify the cookie name and domain?
Figured it out
It's very simple, actually:
Myapp::Application.config.session_store :active_record_store, :key => '_myapp_session', :domain => :all
Can someone point out what the new Rails 3.x session configuration options are?
I'm trying to duplicate the same configuration that I have in my Rails 2.3.x application.
This is the configuration that I used in the application:
#environment.rb
config.action_controller.session_store = :active_record_store
config.action_controller.session = {
:key => '_something', #non-secure for development
:secret => 'really long random string'
}
# production.rb - override environment.rb for production
config.action_controller.session = {
:key => '_something_secure',
:secret => 'really long random string',
:expire_after => 60*60,#time in seconds
:secure => true #The session will now not be sent or received on HTTP requests.
}
However, in Rails 3.x, I can only find mention of the following:
AppName::Application.config.session_store :active_record_store
AppName::Application.config.secret_token = 'really long random string'
AppName::Application.config.cookie_secret = 'another really long random string'
Are there other config settings to control the key, expire_after time, and secure option?
Regarding the latter, if "config.force_ssl = true" is set in production.rb, I assume the secure option is no longer required?
Thanks very much!
You now configure the Cookie-based session store through an initializer, probably in config/initializers/session_store.rb. In Rails 3 the session store is a piece of middleware, and the configuration options are passed in with a single call to config.session_store:
Your::Application.config.session_store :cookie_store, :key => '_session'
You can put any extra options you want in the hash with :key, e.g.
Your::Application.config.session_store :cookie_store, {
:key => '_session_id',
:path => '/',
:domain => nil,
:expire_after => nil,
:secure => false,
:httponly => true,
:cookie_only => true
}
(Those are just the standard defaults)
If you force SSL in production then setting secure on the cookie shouldn't really make a difference in practice, but you might want to set it just to be on the safe side...
Your::Application.config.session_store :cookie_store, {
:key => '_session_id',
:secure => Rails.env.production?
}
I'm trying to have cookies on my site dapshare.com work for both the root address and the 'www' subdomain.
A lot of other stackoverflow answers (and the great Railscasts vid on this topic) have suggested adding this line to session_store.rb:
Dapshare::Application.config.session_store :cookie_store, :key => '_dapshare_session', :domain => :all
This doesn't seem to make a difference: if I log in at dapshare.com, I still am not logged in at www.dapshare.com.
Am I doing something wrong here? I am using the following code to store information in the cookie:
cookies.permanent.signed[:thing_to_store] = store_information
Thanks for any help!
Short answer: using the 'cookies[:new_cookie] =' does not seem to grab the domain from the session_store config settings.
I added the :domain to the new cookie and it now works:
cookies.permanent.signed[:new_cookie] = {:value => new_value, :domain => ".dapshare.com"}
For anyone else reading, you also need to specify the domain when deleting the cookie
cookies.delete :new_cookie, :domain => ".dapshare.com"
(Thanks for your help with diagnosis Andrew Marshall.)
You can actually just specify your cookies using domain => :all instead of domain => '.dapshare.com' in Rails 3.1 +:
cookies.permanent.signed[:new_cookie] = {:value => new_value, :domain => :all}
This more flexible than outright specifying a string domain. Now your application won't break on a different production domain.
I encountered this issue, when passing :all doesn't seems to work properly. If you want to use only for subdomains try the following:
Dapshare::Application.config.session_store :cookie_store, :key => '_dapshare_session', :domain => '.dapshare.com'
I'm using the dalli memcached client for session storage in my Rails app. I'd like to allow users to check a 'Keep me signed in' box when they login to the app, which will cause the session to expire after a month or something. It's pretty straightforward to set the expiration time in the app initialization:
config/initializers/session_store.rb
require 'action_dispatch/middleware/session/dalli_store'
Rails.application.config.session_store :dalli_store, :memcache_server => ['host1', 'host2'], :namespace => 'sessions', :key => '_foundation_session', :expire_after => 30.minutes
But how would I go about manipulating :expire_after after the app has been initialized?
Im not sure this work for you , but
in Rails 2.3 with db session store you could use somthing similar in your action .
request.session_options = request.session_options.dup
request.session_options[:expire_after] = 5.minutes
request.session_options.freeze
I hope it is useful
edit:
I found this new article for rails3
http://augustl.com/blog/2010/dynamic_session_expiration_time_in_rails_3
I hope it is useful