sessions store

11155 · August 13, 2011, 9:59pm

i have some questions about sessions store, actually im using cookie based authentication. But i need a way to know if someone is logged in or not, so that's why i need DB store sessions, but my question is, is the a way of making this sessions expire like cookies, or beeing permanent as cookies? is it safer or less?

11155 · August 14, 2011, 1:43am

But i need a way to know if someone is logged in or not, so that's why i need DB store sessions,

Why does that require DB store?

11155 · August 14, 2011, 1:47am

how could I get if a user if connected or not?

11155 · August 14, 2011, 5:08am

You could simply do this:

def some_action ... cookies[:signed_in] = 'yes' end

def another_action

if cookies[:signed_in] == 'yes' #show all the user's secrets end

end

However, that's not very secure.

11155 · August 14, 2011, 6:58am

if cookies is permanent i cant verify if signed in is true or false

11155 · August 14, 2011, 7:32am

Read this:

http://ruby.railstutorial.org/chapters/sign-in-sign-out#sec:sessions

11155 · August 15, 2011, 1:55am

i dont need the cookie for the current user, but for every user. So a user can see if someone else is connected or not

walterdavis · August 15, 2011, 2:14am

Read up on storing the session in a database in the Rails Guide. That way you can query the database to find out who's on line.

Walter

11155 · August 15, 2011, 5:49am

Tomas R. wrote in post #1016683:

i dont need the cookie for the current user, but for every user.

Adding requirements at this late date voids our contract. I quit.

Frederick_Cheung · August 15, 2011, 9:54am

db store sessions are still backed by cookies (except that the cookie now contains the identifier for a database row) so the sessions will expire as a cookie based one would too. You can however forcefully expire sessions by deleting rows from your sessions table. You still won't be able to detect whether a user has lost their session by quitting their browser without logging out from within your app though.

Fred

Peter_De_Berdt · August 15, 2011, 10:13am

Exactly. What most CMS and forum apps do is check the updated_at column from the sessions table and when someone has been accessing the site within xx minutes, it assumes they are online. You could just as well do it by touching the user object using the cookie store in your authenticate method (maybe in a more performant way than activerecord’s, but that’s up to you). If you’re insisting on using the db session store, you’re probably cleaning out stale sessions that are older than xx days, that’s where you “expire” your sessions. However, if online status is the only reason you want to use database sessions, you shouldn’t even switch. There’s better ways to tackle that problem.

If you REALLY want instant feedback on whether someone is online or not, you’d have to implement something like Socket.IO (which uses websockets if available, falls back to whatever it can use if not such as Flash sockets). You then need to listen for the disconnect event on the server to know if a user went offline. If you’re totally in the dark when it comes to two-way communication, you could have a look at Faye (http://railscasts.com/episodes/260-messaging-with-faye). There’s some other solutions out there too (socketstream, …) or you can roll your own in e.g. NodeJS using Socket.IO.

Best regards

Peter De Berdt