Rails 3 Additional Session Configuration Options (Key, Expires_After, Secure)

  • Home
  • Languages
  • Ruby
  • Rails 3 Additional Session Configuration Options (Key, Expires_After, Secure)

Rails 3 additional session configuration options (key, expires_after, secure)

You now configure the Cookie-based session store through an initializer, probably in config/initializers/session_store.rb. In Rails 3 the session store is a piece of middleware, and the configuration options are passed in with a single call to config.session_store:

Your::Application.config.session_store :cookie_store, :key => '_session'

You can put any extra options you want in the hash with :key, e.g.

Your::Application.config.session_store :cookie_store, {
  :key =>           '_session_id',
  :path =>          '/',
  :domain =>        nil,
  :expire_after =>  nil,
  :secure =>        false,
  :httponly =>      true,
  :cookie_only =>   true
}

(Those are just the standard defaults)

If you force SSL in production then setting secure on the cookie shouldn't really make a difference in practice, but you might want to set it just to be on the safe side...

Your::Application.config.session_store :cookie_store, {
  :key =>           '_session_id',
  :secure =>        Rails.env.production?
}

Setting session timeout in Rails 3

I think you will have to do this manually since the active record store does not implement the expire_after option. So within your (I assume) before filter, you should do this:

def authenticate
  if session[:logged_in]
    reset_session if session[:last_seen] < 2.minutes.ago
    session[:last_seen] = Time.now
  else
    ... authenticate
    session[:last_seen] = Time.now
  end
end

Obviously, this is not complete, but it should give you the basic idea.

UPDATE:

It seems that the functionality IS present in rails since version 2.3. I found the relevant code here. This is AbstractStore which should serve as base class for all derived ones. So, as dadooda suggests, the following should work:

Some::Application.config.session_store :active_record_store, {
  expire_after: 24.hours,
}

Close session and redirect to login in Ruby on Rails

You can store the session in a cookie, which is a session cookie by default (meaning it goes away when the user closes the browser), and add an expiration time using :expire_after.

This can be configured in config/initializers/session_store.rb. For example:

Yourapp::Application.config.session_store :cookie_store, 
                                         key: 'your_session_id',
                                         expire_after: 45.minutes

automatic logout after inactivity/idle

You should use Timeoutable model trait.

Timeoutable takes care of veryfing whether a user session has already expired or not. When a session expires after the configured time, the user will be asked for credentials again, it means, he/she will be redirected to the sign in page.

Options

Timeoutable adds the following options to devise_for:

  • +timeout_in+: the interval to timeout the user session without activity.

In your model you need

devise :timeoutable
# along with :database_authenticatable, :registerable and other things.

Also, take a look at config/initializers/devise.rb, you can configure timeout value there.

How to store data in S3 and allow user access in a secure way with rails API / iOS client?

Using the aws-sdk gem, you can get a temporary signed url for any S3 object by calling url_for:

s3 = AWS::S3.new(
  :access_key_id => 1234,
  :secret_access_key => abcd
)
object = s3.buckets['bucket'].objects['path/to/object']
object.url_for(:get, { :expires => 20.minutes.from_now, :secure => true }).to_s

This will give you a signed, temporary use URL for only that object in S3. It expires after 20 minutes (in this example), and it's only good for that one object.

If you have lots of objects the client needs, you'll need to issue lots of signed URLs.

Or should let the server control all content passing (this solves security of course)? Does this mean I have to download all content to server before handing it down to the connected users?

Note that this doesn't mean the server needs to download each object, it only needs to authenticate and authorize specific clients to access specific objects in S3.

API docs from Amazon:
https://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html#RESTAuthenticationQueryStringAuth

Rails 4: Session Expiry?

Rails has "tamper-proof" session cookies. To prevent session hash tampering, a digest is calculated from the session with a server-side secret and inserted into the end of the cookie. Just make sure you have a long secret. If you want to periodically reset all user sessions change your secret.

To answer your question, if you want to add an extra time-out to the session data you could do:

session[:user_id] = user.id
session[:expires_at] = Time.current + 24.hours

Then, when authenticating users, do:

if session[:expires_at] < Time.current
  # sign out user
end

Hope that helps.


Related Topics

Does Ruby Have the Java Equivalent of Synchronize Keyword

Using Cookies with Rack::Test

Undef - Why Would You Want to Undefine a Method in Ruby

Git Deployment + Configuration Files + Heroku

Getting Webpage Content with Ruby -- I'm Having Troubles

How to Deal with Not Knowing What Exceptions Can Be Raised by a Library Method in Ruby

How Would I Save Multiple Records at Once in Rails

Why Is 'Return a or B' a Void Value Expression Error in Ruby

How to Set/Get Session Vars in a Rack App

Failed to Build Gem Native Extension' on Windows 7 (The System Cannot Find the Path Specified)

How to Get Rspec-2 to Give the Full Trace Associated with a Test Failure

How to Modify an Array While I am Iterating Over It in Ruby

Find Classes Available in a Module

How to Use Unicorn as "Rails S"

Named Parameters in Ruby 2

What Is the Best/How to Validate an Email Address in Ruby

How to See the Dependency Tree Just from Gemfile

How to Avoid Deprecation Messages from Rubygems


Leave a reply



Submit