Persistent cookies


#1

hello,

I am trying to implement a “remember be” box for logins, however I cant
seem to get it to work. I have tried the following 2 methods but
neither
seem to work. When i check the expiry time in firefox it always says
“end
of session”.

What is the proper way to handle this so the session cookie
“_session_id”
doesnt expire for a year?

I tried

session[:session_expires] = 1.year.from_now
and
cookies[:_session_id] = { :value => session.session_id, :expires =>
Time.now+31536000, :domain => “.domain.com” }

I get the following in the log, but viewing the cookie in firefox doesnt
reflect this…

Cookie set: _session_id=8813731b821e4b2e9210428d42a72dff;
domain=.familysimple.com; path=/; expires=Sat, 28 Apr 2007 19:05:44 GMT

any help would be appreciated.

thanks
adam


#2

Ray thanks for the help. If i understand you correctly, you can not
modify
the cookies[:_session_id] cookie but instead I should

  1. set some other cookie with the user information in it, like user_id
  2. drop in a before_filter in the application.rb controller to check to
    see
    if it exists,
  3. load the session from the user_id found in this cookie

thanks for clearing that up, although i am still a little foggy as to
why i
cant extend the life of the _session_id cookie that gets set by rails to
correspond to the session data that got created.

thanks
adam


#3

Adam D. wrote:

Ray thanks for the help. If i understand you correctly, you can not
modify
the cookies[:_session_id] cookie but instead I should

  1. set some other cookie with the user information in it, like user_id

Yes.

  1. drop in a before_filter in the application.rb controller to check to
    see if it exists,

Yes, that will work.

  1. load the session from the user_id found in this cookie

You could do that. It means you’ll have to store the session_id in the
user table, or if you are storing your sessions in the db you could have
a sessions_users table, or something similar. It depends on your
application and what aspects of the session state you are interested in
persisting.

If there is only a small amount of data you want to store, it’s probably
easier to store it in a dedicated model that you could access by user or
in a cookie.

thanks for clearing that up, although i am still a little foggy as to
why i cant extend the life of the _session_id cookie that gets set by rails to
correspond to the session data that got created.

Short answer, ActionController sets the session cookie on every
response. You only set it once.

For illustration, I copied the cookie[_session_id] code from your
previous post into one of my controllers and then I hit the action in my
browser while following the action in LiveHTTPHeaders. Here are the
response headers that were returned to a request.

HTTP/1.x 200 OK
Transfer-Encoding: chunked
Content-Type: text/html
Set-Cookie: _session_id=a7563ea152685329ffebfd55149872d8; path=/;
expires=Sat, 28 Apr 2007 23:29:08 GMT
Set-Cookie: _session_id=a7563ea152685329ffebfd55149872d8; path=/
Cache-Control: no-cache
Date: Fri, 28 Apr 2006 23:29:08 GMT
Server: lighttpd/1.4.11

You can see that the session cookie is set twice in immediate
succession. The first time your code sets it to expire in a year, the
second time, ActionController sets a cookie the same name that has no
expiration. The web browser overwrites your cookie with a second cookie
and since it has no expiration date, the browser assumes that the cookie
expires when the browser is closed.

ActionController sends this cookie in every response, overwriting
whatever you do.

Hope that helps.

Ray


#4

Adam D. wrote:

I am trying to implement a “remember be” box for logins, however I cant
seem to get it to work. I have tried the following 2 methods but
neither seem to work. When i check the expiry time in firefox it always
says “end of session”.

What is the proper way to handle this so the session cookie
“_session_id” doesnt expire for a year?

The session cookie, by definition, expires when you close your browser.
The “remember me” is about a persistent cookie, not the session cookie.

cookies[:_session_id] = { :value => session.session_id, :expires =>
Time.now+31536000, :domain => “.domain.com” }

You are almost right. Try something like this:

cookies[:user_id] = { :value => user.id, :expires => Time.now+31536000,
:domain => “.domain.com” }

Then you need to implement logic in your controllers to read the cookie
and automatically log the user in.

I get the following in the log, but viewing the cookie in firefox doesnt
reflect this…

Cookie set: _session_id=8813731b821e4b2e9210428d42a72dff;
domain=.familysimple.com; path=/; expires=Sat, 28 Apr 2007 19:05:44 GMT

If you watch what is happening with a tool like LiveHTTPHeaders, what
you see is that you are setting the session cookie, but then every
controller action is updating the session cookie without a date.

Hope that helps.

Ray