does Rails provide session timeout/expiry???

Hi,

Does rails provide session timeout out-of-the-box? (i.e. like java servlets provide in J2EE) or does one need to implement this similar to the Rails Recipes book?

Tks

I don't believe so. I added this functionality to my application,
though. Take a look at my blog for the code.

http://burningtimes.net/articles/2006/10/15/paranoid-rails-session-storage

Erik

Thanks Erik - very interesting

Based on my readings it would seem you could say that Rails does not provide web application session expiry. Whilst there is support for expiry of cookies it seems well documented that relying on cookies is prone to user-end abuse.

The implication is that one has to build one’s own session management (time based session management and expiry). The major options in terms of the detection of this seems to be to store last application usage somewhere (session, database etc) but then in terms of when the session is check do this either:

a) periodically, e.g. by using a sweeper type arrangement OR
b) based on a before filters in the controller

Any comments guys on which is these is the better mechanism, noting it would potentially be called each request?

Greg

Greg Hauptmann wrote:

Thanks Erik - very interesting

Based on my readings it would seem you could say that Rails does not provide
web application session expiry. Whilst there is support for expiry of
cookies it seems well documented that relying on cookies is prone to
user-end abuse.

The implication is that one has to build one's own session management (time
based session management and expiry).

While this is true there are a number of plugins available that help reduce implementation
effort.

The major options in terms of the
detection of this seems to be to store last application usage somewhere
(session, database etc) but then in terms of when the session is check do
this either:

a) periodically, e.g. by using a sweeper type arrangement OR
b) based on a before filters in the controller

Any comments guys on which is these is the better mechanism, noting it would
potentially be called each request?

I would say you will need to use BOTH above methods.

b) can be implement with relative ease. You can use :except (or :only) to control
which actions are filtered.
a) require a bit more work but doable (is that a word?) as Craig have suggested.
This is where you can clean up "abandoned" sessions.

Long
www.edgesoft.ca/blog/read/2

Thanks Erik - very interesting

Based on my readings it would seem you could say that Rails does not
provide web application session expiry. Whilst there is support for
expiry of cookies it seems well documented that relying on cookies is
prone to user-end abuse.

The implication is that one has to build one's own session management
(time based session management and expiry). The major options in
terms of the detection of this seems to be to store last application
usage somewhere (session, database etc) but then in terms of when the
session is check do this either:

a) periodically, e.g. by using a sweeper type arrangement OR
b) based on a before filters in the controller

Any comments guys on which is these is the better mechanism, noting it
would potentially be called each request?

Hi Long - was there a particular plugin (plugins) you had in mind here?

Greg Hauptmann wrote:

Hi Long - was there a particular plugin (plugins) you had in mind here?

Greg,

If you Google 'session expire' on this group you will find some references.

Here is a previous thread you may find of use:

http://groups.google.ca/group/rubyonrails-talk/browse_thread/thread/7e61b201ac19677b/3c488c21682413a0?lnk=gst&q=session+expire&rnum=4#3c488c21682413a0

I have written a similar plugin for my own use also. I keep promissing to
release it but just not finding the time to get it done (sigh).

Long
www.edgesoft.ca/blog/read/2

Tks Long - I follow this up / read through this.

One thing still not clear to me (need to do more reading) is whether the out-of-the-box rails session timeout is just using the cookie expiry concept or not? i.e. does the rails session infra-structure add additional server side checks & balances to ensure that any tampering of cookie information at the client end can not change the timeout period for the session for example? So is the rails session timeout facility adequate from a security point of view? (
i.e. if you didn’t want more functionality like seeing who is logged on, could one use it and feel comfortable?)

Greg

Greg Hauptmann wrote:

Tks Long - I follow this up / read through this.

You're welcome.

One thing still not clear to me (need to do more reading) is whether the
out-of-the-box rails session timeout is just using the cookie expiry concept
or not?

I don't think rails uses cookie expiry by default but one can certainly set it.
However the cookie itself is at the mercy of the browser/user. It can be cleared
at any time so it can't be relied upon.

Out-of-the-box rails session lives forever so if we want to we have to add the
filter to expire the session. This will only handle clients that try to reconnect
after a long period of inactivity.

i.e. does the rails session infra-structure add additional server
side checks & balances to ensure that any tampering of cookie information at
the client end can not change the timeout period for the session for
example?

I don't think rails performs additional checks automatically. A rails session lives on the
server-side and anything you store in the session stays on the server-side. The only thing
rails passes to the client is the session_id (in the form of a cookie). Assuming cookie is
enabled, on subsequent requests rails makes sure the correct session is reconnected. If
your app has not set any other value in the client cookie then there is nothing to tamper
with, except the session_id value. So the answer is no, the client can not change the timeout
period through tampering.

So is the rails session timeout facility adequate from a security
point of view? (i.e. if you didn't want more functionality like seeing who
is logged on, could one use it and feel comfortable?)

From a security stand point rails' session handling is not any different from other
technologies such as PHP or Java. They all use cookie to store the session_id in order
to maintain user states across HTTP requests. In this context the facility is adequate.
If you have a member-only area consider using SSL (via HTTPS) to gain an additional
layer of protection.

Long
www.edgesoft.ca/blog/read/2

Tks Long - this really helped. Can I ask, at this point in time, which plugin in (or code albeit on a blog), would you recommend if I wanted to add (a) ability to set defined session timeout period and (b) be able to get a list of who is currently using the website [anonymous & logged on user names]? Does something exist now?

I did see Eric’s post here so I’m wondering to try to incorporate this approach, or leverage a separate existing plugin. Perhaps at this point in time the best approach is to take the bits you need from all of the posts/plugins and come up with something that suites one’s own needs (
i.e. as it doesn’t seem like there is a clear defacto popular plugin in this area yet)

Tks again

Greg Hauptmann wrote:

Tks Long - this really helped. Can I ask, at this point in time, which
plugin in (or code albeit on a blog), would you recommend if I wanted to add
(a) ability to set defined session timeout period and

Here are some resources to start with:

http://opensource.agileevolved.com/svn/root/rails_plugins/

http://www.agilewebdevelopment.com/plugins/recent

(b) be able to get a

list of who is currently using the website [anonymous & logged on user
names]? Does something exist now?

I haven't looked but you may have to roll your own. Perhaps you may find
something from above links.

Best of luck,

Long
www.edgesoft.ca/blog/read/2