Session record not getting deleted

Hi,
I have been asking this question in multiple forums like stackexchange
but have not received a solution or proper help. Any help here is
appreciated.

I have a rails app with a session store database (mysql). When I want to
clear a session, I reset the session variables and call reset_session.
But then the record in mysql which was added on creating a session does
not get cleared automatically (which it should).

This is how my sessions controller looks like:

class SessionsController < ApplicationController
def create
session[:user_id] = params[:email]
session[:username] = params[:email]
end

def destroy
session[:user_id] = nil
session[:username] = nil
reset_session
end

When the create gets called, I see rails adding a record automatically
in the sessions table. But then it does not get cleaned up on
reset_session.

kybitz-vm_001:(controllers) [master]$ rails -v
Rails 3.2.13
kybitz-vm_001:(controllers) [master]$ ruby -v
ruby 1.8.7 (2011-06-30 patchlevel 352) [i686-linux]

Thanks.

Bharath N. wrote in post #1154181:

Hi,
I have been asking this question in multiple forums like stackexchange
but have not received a solution or proper help. Any help here is
appreciated.

I have a rails app with a session store database (mysql). When I want to
clear a session, I reset the session variables and call reset_session.
But then the record in mysql which was added on creating a session does
not get cleared automatically (which it should).

Do you have reference to documentation stating that it should? To my
knowledge using ActiveRecord session storage has always required manual
purging.

This article might help:
http://blog.brightbox.co.uk/posts/clearing-out-rails-sessions

Besides using MySQL for session storage isn’t currently recommended in
the first place:

Ruby on Rails 4.0 Release Notes — Ruby on Rails Guides

ActiveRecord session store (commit) - The ActiveRecord session store is
extracted to a separate gem. Storing sessions in SQL is costly. Instead,
use cookie sessions, memcache sessions, or a custom session store.

Okie, assuming its done manually, is there a way to at least figure out
which of the sessions are for logged out users ??

On 5 August 2014 23:05, Bharath N. [email protected] wrote:

Okie, assuming its done manually, is there a way to at least figure out
which of the sessions are for logged out users ??

Delete it explicitly when a user logs out, then you know that any left
are those that have not logged out.

Colin

Thanks Robert for the reply. Nope, not from documentation. Its just
basic thing that if the record is created by rails, it needs to be
cleaned up by rails (why would it need to be cleaned up out of a
different path) ?

I remember reading this stackoverflow comment as well which mentioned
that it should clear on calling reset_session.

"When you call reset_session rails will delete that row from the session
table. However not every session will have reset_session called on it:
if a user closes their browser without logging out then the browser will
discard the session cookie, so that session row will never be used
again, but reset_session won’t be called.

Rails won’t clear out that accumulating cruft for you - it’s up to you
to do any housekeeping on it as you see fit. In a previous job we use to
run a cronjob that deleted old session rows."

On 23 August 2014 06:32, Bharath N. [email protected] wrote:

The problem is that I want to hold sessions who have not logged out. And
clear sessions who have not logged in. Sessions are created
automatically by rails when the login page loads itself.

Sorry, don’t understand. Can you clarify what you mean by ‘logged
out’? I assumed you meant users that have clicked on the ‘logout’
link.

Colin

Colin L. wrote in post #1154372:

On 5 August 2014 23:05, Bharath N. [email protected] wrote:

Okie, assuming its done manually, is there a way to at least figure out
which of the sessions are for logged out users ??

Delete it explicitly when a user logs out, then you know that any left
are those that have not logged out.

Colin

The problem is that I want to hold sessions who have not logged out. And
clear sessions who have not logged in. Sessions are created
automatically by rails when the login page loads itself.

Colin L. wrote in post #1155762:

On 23 August 2014 06:32, Bharath N. [email protected] wrote:

The problem is that I want to hold sessions who have not logged out. And
clear sessions who have not logged in. Sessions are created
automatically by rails when the login page loads itself.

Sorry, don’t understand. Can you clarify what you mean by ‘logged
out’? I assumed you meant users that have clicked on the ‘logout’
link.

Colin

Okie. This is what I see from how its happening:

  1. There is a login page
  2. When login page is loaded I see an entry for a session put in.

±----±---------------------------------±----------------------------------------------------------------------------------------------------------------------------------------±--------------------±--------------------+
| id | session_id | data
| created_at | updated_at |
±----±---------------------------------±----------------------------------------------------------------------------------------------------------------------------------------±--------------------±--------------------+
| 172 | 683aeb1fec89147c16db6ffb8614d915 |
BAh7BiIQX2NzcmZfdG9rZW4iMUVNN1ZVSSt6cGdMaTdRT1RycjhuVTlkWHMr
M1RyYzZyZUpYaEh5eE93VDQ9

  1. When someone logs in successfully, I set the user_id value in the
    session variable. Right then I see that the sql record has the value in
    “data” variable changed.

    session[:user_id] = params[:email]

  2. When someone logs out, I clear the value and call reset_session.
    Again I see the sql record has the “data” variable with changed value.

    session[:user_id] = nil
    reset_session

Hence the problem is:

  1. Can’t I ensure a session record is created only when I want - After
    the user logs in ?
  2. If not, Can I differentiate a authenticated session vs
    unauthenticated sessions (sessions where the login page was just loaded
    OR sessions where the user logged out) ?

On 24 August 2014 19:03, Bharath N. [email protected] wrote:

shows the session being created in session create, which is presumably
as a result of posting the login form, not displaying. It is up to
you what code you put there.

Actually nope. When I hit localhost:3000, the login page pops up. I
don’t see any of the controller code being executed. But when I check
the sql sessions table, I see rails has put in an entry:

OK. It seems I am not the one who can help in that case. I think you
need someone who knows more about sessions stored in the db.

Sorry

Colin

On 24 August 2014 17:32, Bharath N. [email protected] wrote:

Colin

Okie. This is what I see from how its happening:

  1. There is a login page
  2. When login page is loaded I see an entry for a session put in.

What do you mean by ‘loading’ the login page? The code you posted
shows the session being created in session create, which is presumably
as a result of posting the login form, not displaying. It is up to
you what code you put there.

session variable. Right then I see that the sql record has the value in
Hence the problem is:

  1. Can’t I ensure a session record is created only when I want - After
    the user logs in ?

When a user logs in check whether they already have an active session
and if so restore that one and remove the new one (or even better
don’t save it). If there is nothing stored in the session other than
the fact that they have logged in then you can just delete any old
ones for that user.

Colin

Colin L. wrote in post #1155842:

On 24 August 2014 17:32, Bharath N. [email protected] wrote:

Colin

Okie. This is what I see from how its happening:

  1. There is a login page
  2. When login page is loaded I see an entry for a session put in.

What do you mean by ‘loading’ the login page? The code you posted
shows the session being created in session create, which is presumably
as a result of posting the login form, not displaying. It is up to
you what code you put there.

Actually nope. When I hit localhost:3000, the login page pops up. I
don’t see any of the controller code being executed. But when I check
the sql sessions table, I see rails has put in an entry:

mysql> select * from sessions;
±—±---------------------------------±---------------------------------------------------------------------------------------±--------------------±--------------------+
| id | session_id | data
| created_at | updated_at |
±—±---------------------------------±---------------------------------------------------------------------------------------±--------------------±--------------------+
| 2 | b43e58bd6c2871beb354f40650deaade |
BAh7BiIQX2NzcmZfdG9rZW4iMUdLZU1zSlNmbGR4UDByVjRQNUlJem02UWFx
YzRGcFAwNHF5bW52NFJaZ2M9
| 2014-08-24 17:59:48 | 2014-08-24 17:59:48 |
±—±---------------------------------±---------------------------------------------------------------------------------------±--------------------±--------------------+
1 row in set (0.00 sec)

On Sunday, August 24, 2014 5:33:00 PM UTC+1, Ruby-Forum.com User wrote:

  1. Can’t I ensure a session record is created only when I want - After
    the user logs in ?
  2. If not, Can I differentiate a authenticated session vs
    unauthenticated sessions (sessions where the login page was just loaded
    OR sessions where the user logged out) ?

A row gets set in the sessions table (or whatever session store you use)
whenever something is assigned to the session. In particular, pretty
much
any time you display a form (or call csrf_meta_tag) rails saves the
value
of the csrf token to the session. This is probably why you’re seeing
sessions created on displaying the login page.

You can’t by default differentiate between authenticated sessions and
non
authenticated sessions: rails’ session support is unaware of what
authenticated means to you. You could probably do this with a custom
session store - a session store implementation has access to the rack
env
hash, so your app code could set values in there that the session store
could save. The active record store implementation that was extracted
from
rails (GitHub - rails/activerecord-session_store: Active Record's Session Store extracted from Rails) would
probably
be a good place to start

Fred