I’m wondering if this is normal way how rails handles sessions…
When I login (create a session on server), application sets cookie
value in the HTTP header.
Key: Set-Cookie
Value:
_my_session_id=BAe7CDoOcmV0dXJuX3RvMqIKsmxhc2hJQzonQWN0aW9uQ13udHJvbGxlcjo6%220ARmvhc2g6YkZsYXNoSGFzaHsABjoKQHVzZWR7ADoJdXNlcmkC3wM
%253D–d806ac851b4e6ee4310dcf2abdcf57e3ea4c12cb; path=/ )
When I logout (delete a session), application gives me other value for
the Set-Cookie header.
But, on every next login and logout application sets the SAME value
for Set-Cookie header.
And, when I use db session based store, application always sets
different values for Set-Cookie header, which is better behavior.
I think, when using cookie based session store, application should set
different values for Set-Cookie header, maybe add some hashed
timestamp to the Set-Cookie value in case to recognize by it if the
session is some old, or it is the last one for.
Any suggestions?
On 24 Jun 2008, at 15:39, blackflash wrote:
BAe7CDoOcmV0dXJuX3RvMqIKsmxhc2hJQzonQWN0aW9uQ13udHJvbGxlcjo6
%220ARmvhc2g6YkZsYXNoSGFzaHsABjoKQHVzZWR7ADoJdXNlcmkC3wM
%253D–d806ac851b4e6ee4310dcf2abdcf57e3ea4c12cb; path=/ )
When I logout (delete a session), application gives me other value for
the Set-Cookie header.
But, on every next login and logout application sets the SAME value
for Set-Cookie header.
with the database store the cookie value is just some identifier used
to look something up in a table. New session = new cookie value.
With the cookie store, the cookie value is the contents of the
session, so if the contents are the same the cookie will be the same.
The cookie store does not try and guard against replay of an old
session, you’ll have to do that yourself.
Fred
Yes, that’s it! Thanks.
Are you familiar with any example on internet about creating ‘Set-
Cookie’ and decoding ‘Cookie’ values from requests / responses?
You mean you want to decode the rails session cookie? it’s just base64
encoded marshal data (up until the --, the rest is the signature)
Fred
No, I’m just trying to find way and make guard against replay of an
old session… so, probably I should play around with request and
response objects to change the defaults for Set-Cookie value that
rails app sets on the response object, and Cookie value that rails app
is supposed to receive from the client.
Cheers!
Dalibor
On 24 Jun 2008, at 16:15, blackflash wrote:
Yes, that’s it! Thanks.
Are you familiar with any example on internet about creating ‘Set-
Cookie’ and decoding ‘Cookie’ values from requests / responses?
You mean you want to decode the rails session cookie? it’s just base64
encoded marshal data (up until the --, the rest is the signature)
Fred
Just store a timestamp in the session and have a before filter that
checks it ?
That’s it, madafaka! Thanks!
On 24 Jun 2008, at 18:03, blackflash wrote:
rails app sets on the response object, and Cookie value that rails app
is supposed to receive from the client.
Just store a timestamp in the session and have a before filter that
checks it ?