Hi,
I have been asking this question in multiple forums like stackexchange
but have not received a solution or proper help. Any help here is
appreciated.
I have a rails app with a session store database (mysql). When I want to
clear a session, I reset the session variables and call reset_session.
But then the record in mysql which was added on creating a session does
not get cleared automatically (which it should).
This is how my sessions controller looks like:
class SessionsController < ApplicationController
def create
session[:user_id] = params[:email]
session[:username] = params[:email]
end
def destroy
session[:user_id] = nil
session[:username] = nil
reset_session
end
When the create gets called, I see rails adding a record automatically
in the sessions table. But then it does not get cleaned up on
reset_session.
Hi,
I have been asking this question in multiple forums like stackexchange
but have not received a solution or proper help. Any help here is
appreciated.
I have a rails app with a session store database (mysql). When I want to
clear a session, I reset the session variables and call reset_session.
But then the record in mysql which was added on creating a session does
not get cleared automatically (which it should).
Do you have reference to documentation stating that it should? To my
knowledge using ActiveRecord session storage has always required manual
purging.
Thanks Robert for the reply. Nope, not from documentation. Its just
basic thing that if the record is created by rails, it needs to be
cleaned up by rails (why would it need to be cleaned up out of a
different path) ?
I remember reading this stackoverflow comment as well which mentioned
that it should clear on calling reset_session.
"When you call reset_session rails will delete that row from the session
table. However not every session will have reset_session called on it:
if a user closes their browser without logging out then the browser will
discard the session cookie, so that session row will never be used
again, but reset_session won't be called.
Rails won't clear out that accumulating cruft for you - it's up to you
to do any housekeeping on it as you see fit. In a previous job we use to
run a cronjob that deleted old session rows."
The problem is that I want to hold sessions who have not logged out. And
clear sessions who have not logged in. Sessions are created
automatically by rails when the login page loads itself.
Sorry, don't understand. Can you clarify what you mean by 'logged
out'? I assumed you meant users that have clicked on the 'logout'
link.
Colin
Okie. This is what I see from how its happening:
1. There is a login page
2. When login page is loaded I see an entry for a session put in.
What do you mean by 'loading' the login page? The code you posted
shows the session being created in session create, which is presumably
as a result of posting the login form, not displaying. It is up to
you what code you put there.
+-----+----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------+---------------------+---------------------+
> id | session_id | data
> created_at | updated_at |
+-----+----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------+---------------------+---------------------+
> 172 | 683aeb1fec89147c16db6ffb8614d915 |
BAh7BiIQX2NzcmZfdG9rZW4iMUVNN1ZVSSt6cGdMaTdRT1RycjhuVTlkWHMr
M1RyYzZyZUpYaEh5eE93VDQ9
3. When someone logs in successfully, I set the user_id value in the
session variable. Right then I see that the sql record has the value in
"data" variable changed.
session[:user_id] = params[:email]
4. When someone logs out, I clear the value and call reset_session.
Again I see the sql record has the "data" variable with changed value.
session[:user_id] = nil
reset_session
Hence the problem is:
1. Can't I ensure a session record is created only when I want - After
the user logs in ?
When a user logs in check whether they already have an active session
and if so restore that one and remove the new one (or even better
don't save it). If there is nothing stored in the session other than
the fact that they have logged in then you can just delete any old
ones for that user.
1. There is a login page
2. When login page is loaded I see an entry for a session put in.
What do you mean by 'loading' the login page? The code you posted
shows the session being created in session create, which is presumably
as a result of posting the login form, not displaying. It is up to
you what code you put there.
Actually nope. When I hit localhost:3000, the login page pops up. I
don't see any of the controller code being executed. But when I check
the sql sessions table, I see rails has put in an entry:
A row gets set in the sessions table (or whatever session store you use) whenever something is assigned to the session. In particular, pretty much any time you display a form (or call csrf_meta_tag) rails saves the value of the csrf token to the session. This is probably why you’re seeing sessions created on displaying the login page.
You can’t by default differentiate between authenticated sessions and non authenticated sessions: rails’ session support is unaware of what authenticated means to you. You could probably do this with a custom session store - a session store implementation has access to the rack env hash, so your app code could set values in there that the session store could save. The active record store implementation that was extracted from rails (GitHub - rails/activerecord-session_store: Active Record's Session Store extracted from Rails) would probably be a good place to start