Rails 3 additional session configuration options (key, expires_after, secure)
You now configure the Cookie-based session store through an initializer, probably in config/initializers/session_store.rb
. In Rails 3 the session store is a piece of middleware, and the configuration options are passed in with a single call to config.session_store
:
Your::Application.config.session_store :cookie_store, :key => '_session'
You can put any extra options you want in the hash with :key
, e.g.
Your::Application.config.session_store :cookie_store, {
:key => '_session_id',
:path => '/',
:domain => nil,
:expire_after => nil,
:secure => false,
:httponly => true,
:cookie_only => true
}
(Those are just the standard defaults)
If you force SSL in production then setting secure on the cookie shouldn't really make a difference in practice, but you might want to set it just to be on the safe side...
Your::Application.config.session_store :cookie_store, {
:key => '_session_id',
:secure => Rails.env.production?
}
Setting session timeout in Rails 3
I think you will have to do this manually since the active record store does not implement the expire_after option. So within your (I assume) before filter, you should do this:
def authenticate
if session[:logged_in]
reset_session if session[:last_seen] < 2.minutes.ago
session[:last_seen] = Time.now
else
... authenticate
session[:last_seen] = Time.now
end
end
Obviously, this is not complete, but it should give you the basic idea.
UPDATE:
It seems that the functionality IS present in rails since version 2.3. I found the relevant code here. This is AbstractStore which should serve as base class for all derived ones. So, as dadooda suggests, the following should work:
Some::Application.config.session_store :active_record_store, {
expire_after: 24.hours,
}
Close session and redirect to login in Ruby on Rails
You can store the session in a cookie, which is a session cookie by default (meaning it goes away when the user closes the browser), and add an expiration time using :expire_after
.
This can be configured in config/initializers/session_store.rb
. For example:
Yourapp::Application.config.session_store :cookie_store,
key: 'your_session_id',
expire_after: 45.minutes
automatic logout after inactivity/idle
You should use Timeoutable
model trait.
Timeoutable takes care of veryfing whether a user session has already expired or not. When a session expires after the configured time, the user will be asked for credentials again, it means, he/she will be redirected to the sign in page.
Options
Timeoutable adds the following options to devise_for:
- +timeout_in+: the interval to timeout the user session without activity.
In your model you need
devise :timeoutable
# along with :database_authenticatable, :registerable and other things.
Also, take a look at config/initializers/devise.rb
, you can configure timeout value there.
How to store data in S3 and allow user access in a secure way with rails API / iOS client?
Using the aws-sdk gem, you can get a temporary signed url for any S3 object by calling url_for
:
s3 = AWS::S3.new(
:access_key_id => 1234,
:secret_access_key => abcd
)
object = s3.buckets['bucket'].objects['path/to/object']
object.url_for(:get, { :expires => 20.minutes.from_now, :secure => true }).to_s
This will give you a signed, temporary use URL for only that object in S3. It expires after 20 minutes (in this example), and it's only good for that one object.
If you have lots of objects the client needs, you'll need to issue lots of signed URLs.
Or should let the server control all content passing (this solves security of course)? Does this mean I have to download all content to server before handing it down to the connected users?
Note that this doesn't mean the server needs to download each object, it only needs to authenticate and authorize specific clients to access specific objects in S3.
API docs from Amazon:
https://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html#RESTAuthenticationQueryStringAuth
Rails 4: Session Expiry?
Rails has "tamper-proof" session cookies. To prevent session hash tampering, a digest is calculated from the session with a server-side secret and inserted into the end of the cookie. Just make sure you have a long secret. If you want to periodically reset all user sessions change your secret.
To answer your question, if you want to add an extra time-out to the session data you could do:
session[:user_id] = user.id
session[:expires_at] = Time.current + 24.hours
Then, when authenticating users, do:
if session[:expires_at] < Time.current
# sign out user
end
Hope that helps.
Related Topics
Does Ruby Have the Java Equivalent of Synchronize Keyword
Undef - Why Would You Want to Undefine a Method in Ruby
Git Deployment + Configuration Files + Heroku
Getting Webpage Content with Ruby -- I'm Having Troubles
How to Deal with Not Knowing What Exceptions Can Be Raised by a Library Method in Ruby
How Would I Save Multiple Records at Once in Rails
Why Is 'Return a or B' a Void Value Expression Error in Ruby
How to Set/Get Session Vars in a Rack App
Failed to Build Gem Native Extension' on Windows 7 (The System Cannot Find the Path Specified)
How to Get Rspec-2 to Give the Full Trace Associated with a Test Failure
How to Modify an Array While I am Iterating Over It in Ruby
Find Classes Available in a Module
How to Use Unicorn as "Rails S"
What Is the Best/How to Validate an Email Address in Ruby