Can anyone confirm I’m on the right track here re having an approach to
manage session timeout etc:
Assumption: Using active_record session storage.
Don’t set a session(cookie)
time as we will manage this manually.
QUESTION: This is a particular assumption I was after feedback on.
I’m assuming that as I’m managing expiry manually in my application
trying to incorporate use of the cookie session expiry time as well
For each request (application.rb before_filter(s)):
Assumption - Rails keeps the sessions table “updated_at”
field populated after each request so that it is up to date
check to see whether the session has expired (manually check
the sessions table “updated_at” field and compare with the
timeout peiod) - if yes then expire session then
This seems to remove the session record from the sessions
If the user was LOGGED_IN to the application then redirect
them back to the LOGIN PAGE.
Clean up any sessions table records that are older than say 2
x LengthOfSessionTime (use of SQL direct targetted at the session
Query sessions table to see how many users are logged in, for
display in the footer. Capture (a) logged in users and (b)
Update a custom sessions table column (user_id) with the
user_id. Do this via the approach “session.model.user_id =
No need for external cron jobs.
How’s this sound???