How conditionally allow Session :off

Rails
1

I need to enable/disable sessions based on the incoming IP address.
Any request coming from the IP that Rails is running from needs to
have session :off, other IPs can create a session.

Right now I’m just using a hard coded address of the system Rails is
running on–I’ll work out acquiring that dynamically as the next step.

Neither of these worked for me, and actually that makes sense now, so
what would be the way to do it?

class ApplicationController < ActionController::Base

if request.remote_ip == ‘x.x.x.x’ # === request not available here
session :off
end

class ApplicationController < ActionController::Base

before_filter :check_request_source

def check_request_source
if request.remote_ip == ‘206.82.195.150’
session :off # === session not available here
end
end

– gw

2

Neither of these worked for me, and actually that makes sense now, so
what would be the way to do it?

Assuming the :only, :except and :session_secure options are not
enough, you can also do

session :off, :if => Proc.new { |req| … }

req is the request object ( so req.parameters is the parameters hash ,
and i would imagine that req.remote_ip would be there too.

Fred

3

On May 22, 2008, at 1:02 PM, Frederick C. wrote:

Neither of these worked for me, and actually that makes sense now, so
what would be the way to do it?

Assuming the :only, :except and :session_secure options are not
enough, you can also do

session :off, :if => Proc.new { |req| … }

req is the request object ( so req.parameters is the parameters hash ,
and i would imagine that req.remote_ip would be there too.

Hmm. Looked promising, but these both cause 503 errors, so I figure I
don’t have some syntax twist correct.

session :off, :if => Proc.new { |req| req.remote_ip == ‘x.x.x.x’ }
session :off, :if => Proc.new { |req| req.parameters[:remote_ip] ==
‘x.x.x.x’ }

– gw

4

Greg W. wrote:

On May 22, 2008, at 1:02 PM, Frederick C. wrote:

Neither of these worked for me, and actually that makes sense now, so
what would be the way to do it?

Assuming the :only, :except and :session_secure options are not
enough, you can also do

session :off, :if => Proc.new { |req| … }

req is the request object ( so req.parameters is the parameters hash ,
and i would imagine that req.remote_ip would be there too.

Hmm. Looked promising, but these both cause 503 errors, so I figure I
don’t have some syntax twist correct.

session :off, :if => Proc.new { |req| req.remote_ip == ‘x.x.x.x’ }
session :off, :if => Proc.new { |req| req.parameters[:remote_ip] ==
‘x.x.x.x’ }

– gw

This seems to work great for me:

session :off, :if => Proc.new { |req| req.remote_ip == ‘127.0.0.1’ }

Check your log to see what the error is.

5

On 22 May 2008, at 21:54, Greg W. wrote:

session :off, :if => Proc.new { |req| … }

Hmm. Looked promising, but these both cause 503 errors, so I figure I
don’t have some syntax twist correct.

session :off, :if => Proc.new { |req| req.remote_ip == ‘x.x.x.x’ }
session :off, :if => Proc.new { |req| req.parameters[:remote_ip] ==
‘x.x.x.x’ }

The first looks about right to me and works on a rails 2.0.2 app. What
the actual ruby error ?

It does work in local dev, but not in production. No errors or
messages of any kind logged to either production.log nor the mongrel.

This was actually an attempt at a stop gap anyway. I probably just
need to focus on getting to the root problem: excesssive empty
session being generated by something pinging the home page of the
application. I’ve removed/disabled all sources I can think of (load
balancer monitors, nagios, monit, etc). The last thing I can think of
is that mongrel itself is generating pings. As a band-aid, I was
hoping to eliminate the session by IP filtering for now, but that
appears to interfere with something. It’s an app I’ve inherited,
written by folks new to Rails themselves, and has some stuff I
haven’t yet fully figured out.

Anyway… original question answered. Thanks.

– gw

6

On 22 May 2008, at 21:54, Greg W. wrote:

session :off, :if => Proc.new { |req| … }
‘x.x.x.x’ }
The first looks about right to me and works on a rails 2.0.2 app. What
the actual ruby error ?

Fred

7

Greg W. wrote:

There is no error message in either production.log or in mongrel.log
I’m hoping someone has some debugging ideas.

I managed to force an error, but essentially all I am getting is that
some code further in the page which uses session_id gripes that it is
not available because there is no sesion object. So, it’s like the if
statement is turning sessions off for all requests, not just the
filtered ones.

Why this would be different under mod_rails vs mongrel, I juat can’t
even guess.

– gw

8

I need to resurrect this one.

I had switched to mod_rails, and was able to use this

session :off, :if=>Proc.new {|req| req.remote_ip == ‘x.x.x.x’}

to do the filtering I said I needed in my original post.

However, mod_rails is breaking other pieces of my application, and I
need to go back to a mongrel_cluster.

Another however… that session statement is causing the app to crash
when run under mongrel – but only when run in production. Seems to
work OK in development.

There is no error message in either production.log or in mongrel.log

I’m hoping someone has some debugging ideas.

– gw

9

(didn’t see this come back to the list)

I need to resurrect this one.

I had switched to mod_rails, and was able to use this

session :off, :if=>Proc.new {|req| req.remote_ip == ‘x.x.x.x’}

to do the filtering I said I needed in my original post.

However, mod_rails is breaking other pieces of my application, and I
need to go back to a mongrel_cluster.

Another however… that session statement is causing the app to crash
when run under mongrel – but only when run in production. Seems to
work OK in development.

There is no error message in either production.log or in mongrel.log

I’m hoping someone has some debugging ideas.

– gw