How can I set it so that someone stays logged in even if they closed there browser? I am looking to give users the ability to stay logged in if they want or to logout when they close there application. How does one go about doing it that way... the rails way? :-) John K. -- http://www.soen.info - where software engineering knowledge gets indexed http://cusec.soen.info - software engineering conference
on 2005-11-14 02:59
on 2005-11-14 03:17
John K. <john@...> writes: > http://www.soen.info - where software engineering knowledge gets indexed > http://cusec.soen.info - software engineering conference > Hi John, I am no expert, however, I think I read somewhere about storing session details inside the application itself in a text file. Your basic need is to store the session details which get erased on closing of the browser. So simply give it a try by storing the session details in a file or better still store it in the database which you will keep more secure, thus, keeping the user session details secure. Hope this helps. Ravi
on 2005-11-14 04:05
On Nov 13, 2005, at 8:15 PM, Ravi Dhupar wrote: >> > session details > Ravi > This is not related to the underlying storage of the session data. The server is not at all aware of when you close your browser. The ID for a session is stored in a cookie, the Rails default sets that cookie to expire when the browser exits. To get the effect the OP is after, you set an explicit expiration time on the cookie. Just set it to something really long, weeks, months, years into the future. You should be able to do something like this (untested); # application.rb class ApplicationController < ActionController::Base session :session_expires => Time.now + 10.years end
on 2005-11-14 04:47
The problem with both options is that you are making it an application thing rather then a on login the person can specify to keep me logged on or not. Does anyone know how to do that?
on 2005-11-14 05:39
On Nov 13, 2005, at 9:46 PM, John K. wrote: > The problem with both options is that you are making it an application > thing rather then a on login the person can specify to keep me logged > on or not. Does anyone know how to do that? Setting session properties at the application level was just an example. The documentation will show you that you can set them at a finer grain. At any rate, I have been using a solution that I wrote before setting session props was easy, and I'll describe that for you here. For this I use a separate cookie from the session cookie, and leave the session cookie alone. I don't keep any long term state in the session so I don't care if it goes away when the browser exits. If you do keep long term state in the session, you'll have to modify this solution to set the expiry on the session cookie appropriately, or take other measures. When a user logs in and checks the 'remember me box', you generate a hash (which should be unique and unguessable just like the normal session id) and stick this in a cookie and somewhere you can get to it later (I just stick it in the user's entry in the users table in the database). Now, when you do your normal auth check filter, if the normal login check fails you can check for this extra cookie. If it's there and its hash is found in the database, you've got your user and you can log them in. That's the bird's eye view, anyway. Implementation and security is left as an exercise to the reader.