I'm wondering if this is normal way how rails handles sessions...

When I login (create a session on server), application sets cookie value in the HTTP header.

Key: Set-Cookie Value: _my_session_id=BAe7CDoOcmV0dXJuX3RvMqIKsmxhc2hJQzonQWN0aW9uQ13udHJvbGxlcjo6%220ARmvhc2g6YkZsYXNoSGFzaHsABjoKQHVzZWR7ADoJdXNlcmkC3wM %253D--d806ac851b4e6ee4310dcf2abdcf57e3ea4c12cb; path=/ )

When I logout (delete a session), application gives me other value for the Set-Cookie header.

But, on every next login and logout application sets the SAME value for Set-Cookie header.

And, when I use db session based store, application always sets different values for Set-Cookie header, which is better behavior.

I think, when using cookie based session store, application should set different values for Set-Cookie header, maybe add some hashed timestamp to the Set-Cookie value in case to recognize by it if the session is some old, or it is the last one for.

Any suggestions?

I'm wondering if this is normal way how rails handles sessions...

When I login (create a session on server), application sets cookie value in the HTTP header.

Key: Set-Cookie Value: _my_session_id

BAe7CDoOcmV0dXJuX3RvMqIKsmxhc2hJQzonQWN0aW9uQ13udHJvbGxlcjo6 %220ARmvhc2g6YkZsYXNoSGFzaHsABjoKQHVzZWR7ADoJdXNlcmkC3wM %253D--d806ac851b4e6ee4310dcf2abdcf57e3ea4c12cb; path=/ )

When I logout (delete a session), application gives me other value for the Set-Cookie header.

But, on every next login and logout application sets the SAME value for Set-Cookie header.

with the database store the cookie value is just some identifier used
to look something up in a table. New session = new cookie value. With the cookie store, the cookie value is the contents of the
session, so if the contents are the same the cookie will be the same.
The cookie store does not try and guard against replay of an old
session, you'll have to do that yourself.

Fred

Yes, that's it! Thanks.

Are you familiar with any example on internet about creating 'Set- Cookie' and decoding 'Cookie' values from requests / responses?

You mean you want to decode the rails session cookie? it's just base64 encoded marshal data (up until the --, the rest is the signature)

Fred

You mean you want to decode the rails session cookie? it's just base64
encoded marshal data (up until the --, the rest is the signature)

Fred

No, I'm just trying to find way and make guard against replay of an old session... so, probably I should play around with request and response objects to change the defaults for Set-Cookie value that rails app sets on the response object, and Cookie value that rails app is supposed to receive from the client.

Cheers! Dalibor

You mean you want to decode the rails session cookie? it's just
base64 encoded marshal data (up until the --, the rest is the signature)

Fred

No, I'm just trying to find way and make guard against replay of an old session... so, probably I should play around with request and response objects to change the defaults for Set-Cookie value that rails app sets on the response object, and Cookie value that rails app is supposed to receive from the client.

Just store a timestamp in the session and have a before filter that
checks it ?

Just store a timestamp in the session and have a before filter that
checks it ?

That's it, madafaka! Thanks!