Forum: Rails Engines user_engine question: session expiry

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
0eaec4dbefa44a8d5a0592445051ba09?d=identicon&s=25 Jonathan Waddilove (Guest)
on 2006-01-31 17:18
First, James thanks again for giving us these engines. This makes it so
easy to control access to Rails sites in a flexible manner. Just what
the Dr. ordered.

I need to extensions to the basic user_engine and I am wondering if I
have missed finding similar features in the documentation. Or failing
that, some suggestion on how best to add this functions.

I'd like to be able to expire a user's session. So for example I'd like
to time-stamp each request from a user session and then if more than xxx
minutes have passed I would like the user to have to log back in.
Similarly, I would like to force the user to re-verfiy their user id and
password for a subset of actions.

Many thanks   - Jonathan
05d703f649ef1d07e78d7b479fb4c4ac?d=identicon&s=25 James Adam (Guest)
on 2006-02-03 12:50
(Received via mailing list)
Probably the simplest way to do this is just using an additional
before_filter, something like:

class ApplicationController < ActionController::Base
  include LoginEngine; include UserEngine

  before_filter :authorize_action
  before_filter :expire_stale_session

  def expire_stale_session
     if user?
       if session[:user_timestamp].nil?
         session[:user_timestamp] = Time.now
         return true
       elsif (Time.now - session[:user_timestamp]) > 600 #seconds
         session[:user] = nil # log them out
         session[:user_timestamp] = nil # reset the timer
         flash[:message] = "Your session has timed out. Please
re-authenticate..."
         store_location # so when they do log in they come back here
         access_denied  # redirect them to the login page
         return false # stop the filtering
      end
    end
  end
end

... I've not tested that at all, but something along those lines
should work. To require the user to re-enter their password, you could
a line of code like below to the top of only those certain actions
(presuming that you've supplied a form on those pages which puts the
password into params[:password])

  if User.authenticate(current_user.login, params[:password]).nil?
    flash[:message] = "Wrong password!"
    return
  end

Essentially you're just checking if the current user can be
authenticated with the password they've just supplied. Again - I've
not tested that but it should be something like this.

On 1/31/06, Jonathan Waddilove <jwaddilove@mac.com> wrote:
> minutes have passed I would like the user to have to log back in.
> http://lists.rails-engines.org/listinfo.cgi/engine...
>


--
* J *
  ~
0eaec4dbefa44a8d5a0592445051ba09?d=identicon&s=25 Jonathan Waddilove (Guest)
on 2006-02-04 18:38
James,

Many thanks for the suggestions, I'll give them a try!

- Jonathan
This topic is locked and can not be replied to.