Keeping A Session Alive


#1

How can I set it so that someone stays logged in even if they closed
there browser? I am looking to give users the ability to stay logged
in if they want or to logout when they close there application.

How does one go about doing it that way… the rails way? :slight_smile:

John K.


http://www.soen.info - where software engineering knowledge gets indexed
http://cusec.soen.info - software engineering conference


#2

John K. <john@…> writes:

http://www.soen.info - where software engineering knowledge gets indexed
http://cusec.soen.info - software engineering conference

Hi John,

I am no expert, however, I think I read somewhere about storing session
details
inside the application itself in a text file. Your basic need is to
store the
session details which get erased on closing of the browser. So simply
give it a
try by storing the session details in a file or better still store it in
the
database which you will keep more secure, thus, keeping the user session
details
secure. Hope this helps.

Ravi


#3

On Nov 13, 2005, at 8:15 PM, Ravi Dhupar wrote:

session details
Ravi

This is not related to the underlying storage of the session data. The
server is not
at all aware of when you close your browser. The ID for a session is
stored in a cookie,
the Rails default sets that cookie to expire when the browser exits.
To get the effect
the OP is after, you set an explicit expiration time on the cookie.
Just set it to something
really long, weeks, months, years into the future.

You should be able to do something like this (untested);

application.rb

class ApplicationController < ActionController::Base
session :session_expires => Time.now + 10.years
end


#4

On Nov 13, 2005, at 9:46 PM, John K. wrote:

The problem with both options is that you are making it an application
thing rather then a on login the person can specify to keep me logged
on or not. Does anyone know how to do that?

Setting session properties at the application level was just an
example. The documentation will show you that you can
set them at a finer grain.

At any rate, I have been using a solution that I wrote before setting
session props was easy, and I’ll describe that for
you here.

For this I use a separate cookie from the session cookie, and leave the
session cookie alone. I don’t keep any long
term state in the session so I don’t care if it goes away when the
browser exits. If you do keep long term state in the
session, you’ll have to modify this solution to set the expiry on the
session cookie appropriately, or take other measures.

When a user logs in and checks the ‘remember me box’, you generate a
hash (which should be unique and unguessable
just like the normal session id) and stick this in a cookie and
somewhere you can get to it later (I just stick it in the
user’s entry in the users table in the database).

Now, when you do your normal auth check filter, if the normal login
check fails you can check for this extra cookie. If
it’s there and its hash is found in the database, you’ve got your user
and you can log them in.

That’s the bird’s eye view, anyway. Implementation and security is
left as an exercise to the reader.


#5

The problem with both options is that you are making it an
application thing rather then a on login the person can specify to
keep me logged on or not. Does anyone know how to do that?