Sessions store

Rails
1

i have some questions about sessions store, actually im using cookie
based authentication. But i need a way to know if someone is logged in
or not, so that’s why i need DB store sessions, but my question is, is
the a way of making this sessions expire like cookies, or beeing
permanent as cookies? is it safer or less?

2

But i need a way to know if someone is logged in
or not, so that’s why i need DB store sessions,

Why does that require DB store?

3

how could I get if a user if connected or not?

4

You could simply do this:

def some_action

cookies[:signed_in] = ‘yes’
end

def another_action

if cookies[:signed_in] == ‘yes’
#show all the user’s secrets
end

end

However, that’s not very secure.

5

if cookies is permanent i cant verify if signed in is true or false

6

i dont need the cookie for the current user, but for every user. So a
user can see if someone else is connected or not

7

Read this:

http://ruby.railstutorial.org/chapters/sign-in-sign-out#sec:sessions

8

Tomas R. wrote in post #1016683:

i dont need the cookie for the current user, but for every user.

Adding requirements at this late date voids our contract. I quit.

9

On Aug 14, 2011, at 9:55 PM, Tomas R. wrote:

i dont need the cookie for the current user, but for every user. So a
user can see if someone else is connected or not

Read up on storing the session in a database in the Rails Guide. That
way you can query the database to find out who’s on line.

Walter

10

On Aug 13, 10:59pm, “Tomas R.” [email protected] wrote:

i have some questions about sessions store, actually im using cookie
based authentication. But i need a way to know if someone is logged in
or not, so that’s why i need DB store sessions, but my question is, is
the a way of making this sessions expire like cookies, or beeing
permanent as cookies? is it safer or less?

db store sessions are still backed by cookies (except that the cookie
now contains the identifier for a database row) so the sessions will
expire as a cookie based one would too. You can however forcefully
expire sessions by deleting rows from your sessions table.
You still won’t be able to detect whether a user has lost their
session by quitting their browser without logging out from within your
app though.

Fred

11

On 15 Aug 2011, at 11:54, Frederick C. wrote:

now contains the identifier for a database row) so the sessions will
expire as a cookie based one would too. You can however forcefully
expire sessions by deleting rows from your sessions table.
You still won’t be able to detect whether a user has lost their
session by quitting their browser without logging out from within your
app though.

Exactly. What most CMS and forum apps do is check the updated_at
column from the sessions table and when someone has been accessing the
site within xx minutes, it assumes they are online. You could just as
well do it by touching the user object using the cookie store in your
authenticate method (maybe in a more performant way than
activerecord’s, but that’s up to you). If you’re insisting on using
the db session store, you’re probably cleaning out stale sessions that
are older than xx days, that’s where you “expire” your sessions.
However, if online status is the only reason you want to use database
sessions, you shouldn’t even switch. There’s better ways to tackle
that problem.

If you REALLY want instant feedback on whether someone is online or
not, you’d have to implement something like Socket.IO (which uses
websockets if available, falls back to whatever it can use if not such
as Flash sockets). You then need to listen for the disconnect event on
the server to know if a user went offline. If you’re totally in the
dark when it comes to two-way communication, you could have a look at
Faye (#260 Messaging with Faye - RailsCasts). There’s
some other solutions out there too (socketstream, ) or you can roll
your own in e.g. NodeJS using Socket.IO.

Best regards

Peter De Berdt