Rails Session id - ruby-on-rails

I have given the following command in my environment.rb
ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS[:session_key] = 'sessionname'
I want my application to expire to some dynamic value which i get from user.
Once the session time which user gives me lapses, i want to remove all the cookies.
I could expire all cookies other than the one above i.e sessionname
This holds the session id and this is the main cookie i want to expire.
Could some one suggest a solution?

it's not good idea to expire session key as it will disrupt users from working with your application
i'd suggest you to have a separate permanent_session_id in cookies which you generate manually upon login and store with expiration time. then use that cookie to log users in if session does not exist.
such approach will allow users to stay logged in while using application and be logged out automatically if permanent_cookie_id is expired after restarting session.

Related

How to detect if a user has another user's session in Rails?

We are experiencing a bizarre, very rarely occurring bug where a user will be logged into another user's account.
We are on Rails 4.2. We use authlogic for authentication and dalli as our memcached client. Use memcache as the session store.
I haven't been able to figure out what is causing the issue, but the worst part is that even if I did have a hypothesis I wouldn't know how to confirm if it worked or not.
I would like to find some way to log if a user has been given the wrong session, both to help debug the problem and to determine if a potential fix works.
I'm just not sure if it's possible. If the user's cookie has the wrong session ID, how can I possibly figure that out?
Try going back to signed, encrypted cookie session store. Use memcached for frequently accessed items, like the user record. Load the user model from memcached instead of the database.
If you really want to log session hijacking, then log the user's IP address. If the IP address suddenly changes, as if they were logged in one place, then all of a sudden are making requests from another place, then maybe another user hijacked their session cookie?
http://guides.rubyonrails.org/v5.0/security.html#session-hijacking
Be aware that using TOR would show that pattern, as it generates a new route every ten minutes, but doesn't mean the session was stolen or mixed up.
If you are not using signed or encrypted cookies, then it allows Javascript or malicious ads to steal the session id, and send it back to the attacker's server.
It could also be your session ids are not secure or random enough. Maybe a new session id overwrites another session id in memcached? Since you are using a different session store, maybe you customized the session identifier?

Rails: Understanding cookies/log out users remotely

Admins should be able to log out a user remotely through the admin console.
When a user logs in, a cookie is set with cookies.signed[:user_token]
The cookie is deleted with cookies.delete :user_token when user logs out.
I can only access and delete the the cookie for the current user that is sending the requests to my rails controller. The cookies hash only has the :user_token of the current user and the session_store key.
Is it possible to access the cookies of all logged in users and delete them from one account? I can't find any info on this.
An alternative way of doing this:
Keep track of the log-in state(0 or 1) of every user in the database. Every time a user logs in, the state is set to 1.
Allow admins to change the state to 0 through the admin console.
The client browser requests the login state every minute or so. if the state is 0, send a logout request.
What do you guys think about this way of doing it?
As far as i know, cookies are stored in the user's browser. You can't delete them. You could invalidate them somehow, but per user, it would be difficult.
Storing login state in the database should be the solution you are looking for. So when a user comes in, you do the usual authentication and then check database. If 0 you make them login. That way admins can change that one value. Also you gotta put something in to expire the flag in your session table

Rails cookie not persisting on mobile

I am developing an analytics system that I have a global user id and a session id. I am storing the global user id in a cookie created on my rails server, and the session id I store in a cookie that I create in a browser.
The global user id is set to expire in 2 years, and every time a new request from that user arrives I restart the counter. The same happens with the session id, except that the time is 25 minutes.
What is happening is that in some mobile phones the cookie that I set in my rails server is not persisted. So every time the user navigates to other pages he has the same session id but the user id changes.
What could it be?

QuickBlox IOS session expired renew

This question has multiple facets which regards an application that has a login, along with instant messaging i.e. QBChat. All of these questions kind of relate.
1) When a user logs in, I create a session, login the QBUser in, and log in the QBUSer to QBChat. Is is common practice, when a user logs out to log out of QBChat, log out of QBUser and destroy the session?
2) Currently, when the application is sent to the background, I log the user out of QBChat, QBUSER and destroy their session and when the user comes back I create a new session and log them back in to everything. I do this to make sure that the users session doesn't expire when while the application is in the background. Is there any other way to automatically renew sessions when the application is in use?
3) Finally, this question relates back to the second one, if I am using the application and the session expires, is there a call back function that will be called if the session expires? So if I use the application for 2 hours straight, and the session expires is there anyway I can get a indication that it expired and either manually renew it or have it done automatically?
1) When a user logs in, I create a session, login the QBUser in, and
log in the QBUSer to QBChat. Is is common practice, when a user logs
out to log out of QBChat, log out of QBUser and destroy the session?
Yes, it's common pattern.
Two things that you need to know:
you can create session and login in 1 query http://quickblox.com/developers/IOS#A_couple_of_words_about_Authentication_and_Authorization
you don't need to do QBUser logout and destroy a session, you can just destroy a session. It's enough.
2) Currently, when the application is sent to the background, I log
the user out of QBChat, QBUSER and destroy their session and when the
user comes back I create a new session and log them back in to
everything. I do this to make sure that the users session doesn't
expire when while the application is in the background. Is there any
other way to automatically renew sessions when the application is in
use?
3) Finally, this question relates back to the second one, if I am
using the application and the session expires, is there a call back
function that will be called if the session expires? So if I use the
application for 2 hours straight, and the session expires is there
anyway I can get a indication that it expired and either manually
renew it or have it done automatically?
I do only QBChat logout. You don't need to destroy session every time.
You can recreate session if need without destroy it before.
To check session expiration datetime use
NSDate *sessionExpiratioDate = [QBBaseModule sharedModule].tokenExpirationDate;

How can I logoff a specific user in a Devise powered Rails app?

By default, the mechanism in Rails seems to be setting a session cookie, to keep track if a user's logged in or not. While this would ensure that a user is logged off when he closes the browser, I also need him to be logged of in case of inactivity. I have the following use case:
user is logged in
he is on a specific page ( websockets powered, no refresh )
client pings server, in order to let the server know he's still active
in case more than X number of minutes go by without any sign of activity, the user should be logged off
How can such a user case be handled? I thought about setting an expiration time of a few minutes on the cookie. I'd like it that the cookie's expiration time is set back to the original duration, every time the client pings the server.
I'm open to any ideas on how this problem could be tackled.
If you use devise it's already there and you can configure timeout duration in devise.rb https://github.com/plataformatec/devise/blob/master/lib/generators/templates/devise.rb#L132
Use the module Timeoutable. Read something about it in the doc : http://github.com/plataformatec/devise.
Info: migrated comment to answer.

Resources