Implementation of "Remember Me" in a Rails Application

Implementation of Remember me in a Rails application

I have spent a while thinking about this and came to some conclusions. Rails session cookies are tamper-proof by default, so you really don't have to worry about a cookie being modified on the client end.

Here is what I've done:

  • Session cookie is set to be long-lived (6 months or so)
  • Inside the session store

    • An 'expires on' date that is set to login + 24 hours
    • user id
    • Authenticated = true so I can allow for anonymous user sesssions (not dangerous because of the cookie tamper protection)
  • I add a before_filter in the Application Controller that checks the 'expires on' part of the session.

When the user checks the "Remember Me" box, I just set the session[:expireson] date to be login + 2 weeks. No one can steal the cookie and stay logged in forever or masquerade as another user because the rails session cookie is tamper-proof.

How to implement a Remember Me function in Rails 3?

Have been reading the Rails tutorial book and it has an implementation for Remember Me

You can check for some hints (The implementation may be different from yours)

http://ruby.railstutorial.org/book/ruby-on-rails-tutorial#sec:remember_me

Remember me option - how do I implement it?

The way I've done it is this (we're using OmniAuth for the authentication and Mongoid for user storage - the login form uses AJAX so the reply is JSON). The HTML field that corresponds to the "Remember me" checkbox is called "remember":

post '/auth/identity/callback' do
  u = User.find(env['omniauth.auth']['uid'])
  session[:user] = u
  session.options[:expire_after] = 2592000 unless params['remember'].nil? # 30 days
  [200, {:msg => 'User logged in'}.to_json]
end

The key here is the sessions.options[:expire_after] line. If you don't set :expire_after, the cookie will be automatically deleted when the browser quits. Once you set it, the cookie becomes persisten across browser restarts, and is kept for the number of seconds specified.

remember_me with warden

Devise, which is an authentication solution on top of Warden, has a rememberable implementation.


Related Topics

In Ruby, What Is the Cleanest Way of Obtaining the Index of the Largest Value in an Array

How to Convert Array of Activerecord Models to CSV

Where to Place/Access Config File in Gem

How Would You Test Observers with Rspec in a Ruby on Rails Application

How to Call Expire_Fragment from Rails Observer/Model

Does Ruby Have a String.Startswith("Abc") Built in Method

Ruby: How to Concatenate Array of Arrays into One

Install Latest Stable Version of Ruby Using Rbenv

Why Do I Need to Work Harder to Make My Rails Application Fit into a Restful Architecture

What Should Be Removed from Public Source Control in Ruby on Rails

Why 'Self' Method of Module Cannot Become a Singleton Method of Class

Rubocop: Line Is Too Long ← How to Ignore

"Uninitialized Constant" Error When Including a Module

Ruby - Using Class_Eval to Define Methods

Where Does Bundler Store Gems

M Hartl's Ruby on Rails Tutorial Chapter 5 Custom Title on Home Page

Ruby Code Blocks and Chef

Why Does Ruby Open-Uri's Open Return a Stringio in My Unit Test, But a Fileio in My Controller


Leave a reply



Submit