Rails - Jun 2008 - Cookie vs db session store behavior

I''m wondering if this is normal way how rails handles sessions...

When I login (create a session on server), application sets cookie
value in the HTTP header.

Key: Set-Cookie
Value:
_my_session_id=BAe7CDoOcmV0dXJuX3RvMqIKsmxhc2hJQzonQWN0aW9uQ13udHJvbGxlcjo6%220ARmvhc2g6YkZsYXNoSGFzaHsABjoKQHVzZWR7ADoJdXNlcmkC3wM
%253D--d806ac851b4e6ee4310dcf2abdcf57e3ea4c12cb; path=/ )

When I logout (delete a session), application gives me other value for
the Set-Cookie header.

But, on every next login and logout application sets the SAME value
for Set-Cookie header.

And, when I use db session based store, application always sets
different values for Set-Cookie header, which is better behavior.

I think, when using cookie based session store, application should set
different values for Set-Cookie header, maybe add some hashed
timestamp to the Set-Cookie value in case to recognize by it if the
session is some old, or it is the last one for.

Any suggestions?
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

On 24 Jun 2008, at 15:39, blackflash wrote:
>
> I''m wondering if this is normal way how rails handles sessions...
>
> When I login (create a session on server), application sets cookie
> value in the HTTP header.
>
> Key: Set-Cookie
> Value:
> _my_session_id
> > BAe7CDoOcmV0dXJuX3RvMqIKsmxhc2hJQzonQWN0aW9uQ13udHJvbGxlcjo6
> %220ARmvhc2g6YkZsYXNoSGFzaHsABjoKQHVzZWR7ADoJdXNlcmkC3wM
> %253D--d806ac851b4e6ee4310dcf2abdcf57e3ea4c12cb; path=/ )
>
> When I logout (delete a session), application gives me other value for
> the Set-Cookie header.
>
> But, on every next login and logout application sets the SAME value
> for Set-Cookie header.
with the database store the cookie value is just some identifier used  
to look something up in a table. New session = new cookie value.
With the cookie store, the cookie value is the contents of the  
session, so if the contents are the same the cookie will be the same.  
The cookie store does not try and guard against replay of an old  
session, you''ll have to do that yourself.

Fred
>
>
> And, when I use db session based store, application always sets
> different values for Set-Cookie header, which is better behavior.
>
> I think, when using cookie based session store, application should set
> different values for Set-Cookie header, maybe add some hashed
> timestamp to the Set-Cookie value in case to recognize by it if the
> session is some old, or it is the last one for.
>
> Any suggestions?
> >

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Yes, that''s it! Thanks.

Are you familiar with any example on internet about creating ''Set-
Cookie'' and decoding ''Cookie'' values from requests /
responses?
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

On 24 Jun 2008, at 16:15, blackflash wrote:
>
> Yes, that''s it! Thanks.
>
> Are you familiar with any example on internet about creating ''Set-
> Cookie'' and decoding ''Cookie'' values from
requests / responses?
You mean you want to decode the rails session cookie? it''s just base64
encoded marshal data (up until the --, the rest is the signature)

Fred

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

> You mean you want to decode the rails session cookie? it''s just
base64  
> encoded marshal data (up until the --, the rest is the signature)
>
> Fred
No, I''m just trying to find way and make guard against replay of an
old session... so, probably I should play around with request and
response objects to change the defaults for Set-Cookie value that
rails app sets on the response object, and Cookie value that rails app
is supposed to receive from the client.

Cheers!
Dalibor
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

On 24 Jun 2008, at 18:03, blackflash wrote:
>
>> You mean you want to decode the rails session cookie? it''s
just
>> base64
>> encoded marshal data (up until the --, the rest is the signature)
>>
>> Fred
>
> No, I''m just trying to find way and make guard against replay of
an
> old session... so, probably I should play around with request and
> response objects to change the defaults for Set-Cookie value that
> rails app sets on the response object, and Cookie value that rails app
> is supposed to receive from the client.
Just store a timestamp in the session and have a before filter that  
checks it ?
>
>
> Cheers!
> Dalibor
> >

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

> Just store a timestamp in the session and have a before filter that  
> checks it ?
>
That''s it, madafaka! Thanks!
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---