I'd like to add something like the "remember me" option into a Rails application and I need to create a persistent session that doesn't expire when the user closes his browser.
The only solution I found right now is to use a plugin:
http://blog.codahale.com/2006/04/08/dynamic-session-expiration-times-with-rails/
Are there any other (better) solutions?
Use cookies and set the expiration to a date very far into the future.
Take a look at how technoweenie's restful authentication does it.
Particularly line 122 of the generator which allows login from a cookie.
Related
I need to save login/password for my authenticated user. It seems that LoginForm component is deprecated. How else can i make the client's browser to save entered login & password? Can the SubmintButton class help me somehow?
Thank you.
I would suggest to use cookies and implement a remember me function.
That means more or less, you create a cookie with a unique identifier of the user (never! store the user credentials in the cookie). This unique identifier is also stored in your application and should usually have lease time, which expires after a certain time, for security reasons. Every time the user enters your application, the system checks if the cookie still exists and is valid, if so go directly to the application, if not go to the login form.
Perhaps the following link gives you an idea:
http://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice/
The only way I know is to use cookies. I use for this purpose Spring Security with remember me functionality.
https://docs.spring.io/spring-security/site/docs/current/reference/html/remember-me.html
The LoginForm in the core indeed is currently deprecated as it is incompatible with most modern browsers. There is a patch in review to fix this issue, but in the mean time you can use an excellent add-on from the Directory called LoginForm.
As I understand one of the strategies to store sessions is store it in the cookie. There is one thing I don't understand from the docs:
To prevent session hash tampering, a digest is calculated from the
session with a server-side secret and inserted into the end of the
cookie.
What does this mean? How do they prevent that, if I get a cookie from another user, and I use it in my browser, I can't pretend I am the other user? I guess I don't understand what session hash tampering means.
How do they prevent that, if I get a cookie from another user, and I
use it in my browser, I can't pretend I am the other user?
This is called session hijacking, and is covered in http://guides.rubyonrails.org/security.html#session-hijacking. The recommended way to to mitigate this is by "always forcing SSL connection in your application config file", like so:
config.force_ssl = true
The whole http://guides.rubyonrails.org/security.html is definitely worth a read, for more goodness like this.
It would be great to have a supporting doc for the same.
I'm assuming the question can be restated as "Does Devise use a cookie to keep track of your session after authentication." If so, the answer is yes.
To test this, clear your cookies, log in and then check your cookies again. You'll see one for your website named after your app.
#Rodrigo, sessions are enabled by cookies. That's how the session can follow you through multiple pages. HTTP is inherently stateless. Cookies allow you to save state.
Not directly.
Devise is built on top of Warden, which uses the session. I don't see any easy way to use cookies for authentication (although you may use rememberable to keep it recorded between sessions). Sessions are enabled by cookies, so it uses the cookies indirectly.
I have a Rails's application and i saved user's session in sessions table. It's run on domain example.com
Now I'm developing a CakePHP's application run on subdomain cakephp.example.com. How can i reuse session from Rails's app? Thanks in advance.
Yes it can although I'm not sure why you would want to. Assuming you are using Cookie Store the session is simply base64 encoded.
$rails_session = base64_decode($_COOKIE['_foobar_session']);
Obviously you need to replace the cookie name. Additionally you won't be able to modify the rails session and use it in rails again because there are some security restrictions to tampering with it. You can disable them but I wouldn't suggest doing that.
Another option is to store the session in the database in which case you can access it just like you would for any data.
EDIT: After rereading your question it seems like you would want to read the session in initially like I stated above and use that to create a new session in cakephp.
My Rails-app has a sign in box with a "remember me" checkbox. Users who check that box should remain logged in even after closing their browser. I'm keeping track of whether users are logged in by storing their id in the user's session.
But sessions are implemented in Rails as session cookies, which are not persistent. I can make them persistent:
class ApplicationController < ActionController::Base
before_filter :update_session_expiration_date
private
def update_session_expiration_date
options = ActionController::Base.session_options
unless options[:session_expires]
options[:session_expires] = 1.year.from_now
end
end
end
But that seems like a hack, which is surprising for such common functionality. Is there any better way?
Edit
Gareth's answer is pretty good, but I would still like an answer from someone familiar with Rails 2 (because of it's unique CookieSessionStore).
You should almost certainly not be extending the session cookie to be long lived.
Although not dealing specifically with rails this article goes to some length to explain 'remember me' best practices.
In summary though you should:
Add an extra column to the user table to accept a large random value
Set a long lived cookie on the client which combines the user id and the random value
When a new session starts, check for the existence of the id/value cookie and authenticate the new user if they match.
The author also recommends invalidating the random value and resetting the cookie at every login. Personally I don't like that as you then can't stay logged into a site on two computers. I would tend to make sure my password changing function also reset the random value thus locking out sessions on other machines.
As a final note, the advice he gives on making certain functions (password change/email change etc) unavailable to auto authenticated sessions is well worth following but rarely seen in the real world.
I have spent a while thinking about this and came to some conclusions. Rails session cookies are tamper-proof by default, so you really don't have to worry about a cookie being modified on the client end.
Here is what I've done:
Session cookie is set to be long-lived (6 months or so)
Inside the session store
An 'expires on' date that is set to login + 24 hours
user id
Authenticated = true so I can allow for anonymous user sesssions (not dangerous because of the cookie tamper protection)
I add a before_filter in the Application Controller that checks the 'expires on' part of the session.
When the user checks the "Remember Me" box, I just set the session[:expireson] date to be login + 2 weeks. No one can steal the cookie and stay logged in forever or masquerade as another user because the rails session cookie is tamper-proof.
I would suggest that you either take a look at the RESTful_Authentication plug in, which has an implementation of this, or just switch your implementation to use the RESTful Authentication_plugin. There is a good explanation about how to use this plug in at Railscasts:
railscasts #67 restful_authentication
Here is a link to the plugin itself
restful_authentication
The restful_authentication plugin has a good implementation of this:
http://agilewebdevelopment.com/plugins/restful_authentication
Note that you don't want to persist their session, just their identity. You'll create a fresh session for them when they return to your site. Generally you just assign a GUID to the user, write that to their cookie, then use it to look them up when they come back. Don't use their login name or user ID for the token as it could easily be guessed and allow crafty visitors to hijack other users' accounts.
This worked like a charm for me:
http://squarewheel.wordpress.com/2007/11/03/session-cookie-expiration-time-in-rails/
Now my CookieStore sessions expire after two weeks, whereby the user must submit their login credentials again in order to be persistently logged-in for another two weeks.
Bascially, it's as simple as:
including one file in vendor/plugins directory
set session expiry value in application controller using just one line
I would go for Devise for a brilliant authentication solution for rails.