It seems Rails sessions by default only last, well, a browsing session.
If the Rails app keeps track of logged-in state by sessions, that state
doesn’t survive restarting the browser.
How best to change this behaviour, to make the session cookie live
forever, or at least beyond browser restarts?
It was suggested to me on IRC to combine sessions with code to generate
a unique id and then store that in a “normal cookie” as well as in the
DB, and then restore the session out of that, but that seems like
re-inventing session handling.
You can set the expiration time of the cookie in the Rails code when
you create it. Just include the :expires option in the hash when you
define the cookie.
-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
-.-.-.-.-.-.-.-.-.-.-.-.-.-.-
Dan S.
Technology Visionary - Technology Assessment - Documentation
“Looking at technology from every angle”
On this note, how do people deal with persistent logins, such as
‘remember me’ functions when logging in?
Just store a unique ID in a cookie as mentioned below, or some other
method?
You can set the expiration time of the cookie in the Rails code when
you create it. Just include the :expires option in the hash when you
define the cookie.
Thank you. Could you please expound on this? I know that you can set the
expire time on cookies, but this concerns sessions, where you never set
cookies yourself. E.g.
session[‘foo’] = ‘bar’
Is there a way to inject e.g. :expires into the session cookie?
Whether in Rails or other apps, I handle the “remember me” and auto-
login stuff pretty much the same. I use cookies rather than the
server database. If the user loses the cookie or tries to log in from
a different machine, s/he has to go through the login process again
but that’s the only real downside.
I think of of the user as an object that should know how to log
itself in. MVC, ya know!
Well, the downside with cookies is that you can’t very well set e.g.
cookie[‘logged-in-user’] = ‘foo’
since anyone could spoof it. I suppose you could do
cookie[‘logged-in-user’] = ‘foo’
cookie[‘logged-in-pw-hash’] = ‘b4r010101010’
which might perhaps not be much less safe than the session id hash.
However, it is certainly possible to make session cookies persistent.
Rails is just so high-level that I don’t know how to go about it.
Whether in Rails or other apps, I handle the “remember me” and auto-
login stuff pretty much the same. I use cookies rather than the
server database. If the user loses the cookie or tries to log in from
a different machine, s/he has to go through the login process again
but that’s the only real downside.
I think of of the user as an object that should know how to log
itself in. MVC, ya know!
-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
-.-.-.-.-.-.-.-.-.-.-.-.-.-.-
Dan S.
Technology Visionary - Technology Assessment - Documentation
“Looking at technology from every angle”
Sorry, but I can’t expound further on session cookies. I’m too new to
Ruby and I’d probably get it wrong. Hopefully someone else will jump
in here with more wisdom than I.
-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
-.-.-.-.-.-.-.-.-.-.-.-.-.-.-
Dan S.
Technology Visionary - Technology Assessment - Documentation
“Looking at technology from every angle”
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.
