Does Rails provide session timeout/expiry?

Hi,

Does rails provide session timeout out-of-the-box? (i.e. like java
servlets
provide in J2EE) or does one need to implement this similar to the
Rails
Recipes book?

Tks

I don’t believe so. I added this functionality to my application,
though. Take a look at my blog for the code.

http://burningtimes.net/articles/2006/10/15/paranoid-rails-session-storage

Erik

Thanks Erik - very interesting

Based on my readings it would seem you could say that Rails does not
provide
web application session expiry. Whilst there is support for expiry of
cookies it seems well documented that relying on cookies is prone to
user-end abuse.

The implication is that one has to build one’s own session management
(time
based session management and expiry). The major options in terms of the
detection of this seems to be to store last application usage somewhere
(session, database etc) but then in terms of when the session is check
do
this either:

a) periodically, e.g. by using a sweeper type arrangement OR
b) based on a before filters in the controller

Any comments guys on which is these is the better mechanism, noting it
would
potentially be called each request?

Greg

On Sat, 2006-11-04 at 20:53 +1000, Greg H. wrote:

usage somewhere (session, database etc) but then in terms of when the
session is check do this either:

a) periodically, e.g. by using a sweeper type arrangement OR
b) based on a before filters in the controller

Any comments guys on which is these is the better mechanism, noting it
would potentially be called each request?


I believe AWDWR covered file based sessions - or perhaps it was rails
wiki that did…I forgot.

I think I got this from Rails Recipes (ActiveRecord based sessions)

class SessionCleaner
def self.remove_stale_sessions
CGI::Session::ActiveRecordStore::Session
Session.destroy_all( [‘updated_at < ?’, 30.minutes.ago] )
end
end

for using cron to periodically call this via script/runner

Craig

Greg H. wrote:

While this is true there are a number of plugins available that help
reduce implementation
effort.

I would say you will need to use BOTH above methods.

b) can be implement with relative ease. You can use :except (or :only)
to control
which actions are filtered.
a) require a bit more work but doable (is that a word?) as Craig have
suggested.
This is where you can clean up “abandoned” sessions.

Long
www.edgesoft.ca/blog/read/2

Greg H. wrote:

Hi Long - was there a particular plugin (plugins) you had in mind here?

Greg,

If you Google ‘session expire’ on this group you will find some
references.

Here is a previous thread you may find of use:

http://groups.google.ca/group/rubyonrails-talk/browse_thread/thread/7e61b201ac19677b/3c488c21682413a0?lnk=gst&q=session+expire&rnum=4#3c488c21682413a0

I have written a similar plugin for my own use also. I keep promissing
to
release it but just not finding the time to get it done (sigh).

Long
www.edgesoft.ca/blog/read/2

Hi Long - was there a particular plugin (plugins) you had in mind here?

Greg H. wrote:

Tks Long - I follow this up / read through this.

You’re welcome.

One thing still not clear to me (need to do more reading) is whether the
out-of-the-box rails session timeout is just using the cookie expiry concept
or not?

I don’t think rails uses cookie expiry by default but one can certainly
set it.
However the cookie itself is at the mercy of the browser/user. It can be
cleared
at any time so it can’t be relied upon.

Out-of-the-box rails session lives forever so if we want to we have to
add the
filter to expire the session. This will only handle clients that try to
reconnect
after a long period of inactivity.

i.e. does the rails session infra-structure add additional server
side checks & balances to ensure that any tampering of cookie information at
the client end can not change the timeout period for the session for
example?

I don’t think rails performs additional checks automatically. A rails
session lives on the
server-side and anything you store in the session stays on the
server-side. The only thing
rails passes to the client is the session_id (in the form of a cookie).
Assuming cookie is
enabled, on subsequent requests rails makes sure the correct session is
reconnected. If
your app has not set any other value in the client cookie then there is
nothing to tamper
with, except the session_id value. So the answer is no, the client can
not change the timeout
period through tampering.

So is the rails session timeout facility adequate from a security
point of view? (i.e. if you didn’t want more functionality like seeing who
is logged on, could one use it and feel comfortable?)

From a security stand point rails’ session handling is not any different
from other
technologies such as PHP or Java. They all use cookie to store the
session_id in order
to maintain user states across HTTP requests. In this context the
facility is adequate.
If you have a member-only area consider using SSL (via HTTPS) to gain an
additional
layer of protection.

Long
www.edgesoft.ca/blog/read/2

Tks Long - this really helped. Can I ask, at this point in time, which
plugin in (or code albeit on a blog), would you recommend if I wanted to
add
(a) ability to set defined session timeout period and (b) be able to get
a
list of who is currently using the website [anonymous & logged on user
names]? Does something exist now?

I did see Eric’s post
herehttp://burningtimes.net/articles/2006/10/15/paranoid-rails-session-storage
so I’m wondering to try to incorporate this approach, or leverage a
separate
existing plugin. Perhaps at this point in time the best approach is to
take the bits you need from all of the posts/plugins and come up with
something that suites one’s own needs (i.e. as it doesn’t seem like
there is
a clear defacto popular plugin in this area yet)

Tks again

Greg H. wrote:

Tks Long - this really helped. Can I ask, at this point in time, which
plugin in (or code albeit on a blog), would you recommend if I wanted to add
(a) ability to set defined session timeout period and

Here are some resources to start with:

http://opensource.agileevolved.com/svn/root/rails_plugins/

http://www.agilewebdevelopment.com/plugins/recent

(b) be able to get a

list of who is currently using the website [anonymous & logged on user
names]? Does something exist now?

I haven’t looked but you may have to roll your own. Perhaps you may find
something from above links.

Best of luck,

Long
www.edgesoft.ca/blog/read/2

Tks Long - I follow this up / read through this.

One thing still not clear to me (need to do more reading) is whether the
out-of-the-box rails session timeout is just using the cookie expiry
concept
or not? i.e. does the rails session infra-structure add additional
server
side checks & balances to ensure that any tampering of cookie
information at
the client end can not change the timeout period for the session for
example? So is the rails session timeout facility adequate from a
security
point of view? (i.e. if you didn’t want more functionality like seeing
who
is logged on, could one use it and feel comfortable?)

Greg