Would a Class-level variable (e.g., @@logged_in) not work for this?
----- Original Message -----
From: Justin B.
Sent: 2006-03-15 11:15 AM
Subject: Re: [Rails] [login_generator] implementing login limits
The session isn’t going to do anything for you, because one is created
for each “browser” that hits the site. That’s why your experiment didn’t
work - the session for your first admin login isn’t going to be visible
from your second.
Instead, you need a way to check, across sessions, if someone is
logged is an admin. The only thing I can think of is to write the
session_id (@session.session_id) to a database table when an admin logs
in. Then, if someone tries to login as an admin, check if their
session_id matches the one in the table. If not, don’t let them in. When
the admin logs out, clear the session_id from the table and you are set
up for the next login.
You can then store a timestamp in the same row that is updated via a
before_filter method everytime the ‘valid’ admin does an action. That
way, you can easily check if session_id has been idle more than 15
minutes when a new admin comes along, and let them in if so.
Honestly, though, I would look at yoru application model as a whole.
Why are you writing a web application that needs to be single-user?
Write a command line script instead and you don’t have to worry about
this issue at all.
Anyways, hope that helps.
On 3/15/06, dave davidson firstname.lastname@example.org wrote:
I have a simple Rails app that I am close to deploying on
our intranet. The security model is “either you are an admin
or your are not,” with the method of implementing this model
being done by the login_generator 1.1.0.
There is one account set up, 'admin', with three of us
having the ability to logon with this username ( i.e. we
know the password). I am looking to implement the
1. Allow only 1 login at a time-- if 'admin' is logged
in and another person tries to log in with 'admin', they
2. Have an 'auto-logout' feature where if there is no
activity after say, 15mins, the sesion expires and a new
login is required to get back in.
For , I've tried hacking the login method in
app/controllers/account_controller.rb by adding:
render :text=>"already logged in!"
[...rest of stock login code...]
Since there's only one available username, I'm just checking
to see if <at>session is not empty; if it is, then someone is
logged in, so prevent the current user from doing so.
Unfortunately, this has no effect-- I can still log in multiple
times with the admin account.
For , I'm assuming this would be done by setting a time
limit on the session. Researching
ActionController::Base#process_cgi (which apparently is just
an alias for Ruby's CGI::Session) turns up the :session_expires
option which seems to be what I'm looking for. However, I see
the following in the AWD book, pg.306:
The absolute time of the expiry of this session. Like
:new_session, this option should probably not be used
Hmmm. Any suggestions?
Posted via http://www.ruby-forum.com/.
Rails mailing list
Rails mailing list