sessions store

i have some questions about sessions store, actually im using cookie
based authentication. But i need a way to know if someone is logged in
or not, so that's why i need DB store sessions, but my question is, is
the a way of making this sessions expire like cookies, or beeing
permanent as cookies? is it safer or less?

But i need a way to know if someone is logged in
or not, so that's why i need DB store sessions,

Why does that require DB store?

how could I get if a user if connected or not?

You could simply do this:

def some_action
  ...
  cookies[:signed_in] = 'yes'
end

def another_action

  if cookies[:signed_in] == 'yes'
    #show all the user's secrets
  end

end

However, that's not very secure.

if cookies is permanent i cant verify if signed in is true or false

Read this:

http://ruby.railstutorial.org/chapters/sign-in-sign-out#sec:sessions

i dont need the cookie for the current user, but for every user. So a
user can see if someone else is connected or not

Read up on storing the session in a database in the Rails Guide. That way you can query the database to find out who's on line.

Walter

Tomas R. wrote in post #1016683:

i dont need the cookie for the current user, but for every user.

Adding requirements at this late date voids our contract. I quit.

db store sessions are still backed by cookies (except that the cookie
now contains the identifier for a database row) so the sessions will
expire as a cookie based one would too. You can however forcefully
expire sessions by deleting rows from your sessions table.
You still won't be able to detect whether a user has lost their
session by quitting their browser without logging out from within your
app though.

Fred

Exactly. What most CMS and forum apps do is check the updated_at column from the sessions table and when someone has been accessing the site within xx minutes, it assumes they are online. You could just as well do it by touching the user object using the cookie store in your authenticate method (maybe in a more performant way than activerecord’s, but that’s up to you). If you’re insisting on using the db session store, you’re probably cleaning out stale sessions that are older than xx days, that’s where you “expire” your sessions. However, if online status is the only reason you want to use database sessions, you shouldn’t even switch. There’s better ways to tackle that problem.

If you REALLY want instant feedback on whether someone is online or not, you’d have to implement something like Socket.IO (which uses websockets if available, falls back to whatever it can use if not such as Flash sockets). You then need to listen for the disconnect event on the server to know if a user went offline. If you’re totally in the dark when it comes to two-way communication, you could have a look at Faye (http://railscasts.com/episodes/260-messaging-with-faye). There’s some other solutions out there too (socketstream, …) or you can roll your own in e.g. NodeJS using Socket.IO.

Best regards

Peter De Berdt