Rails - May 2005 - session expiry and production environment

I am encountering something weird and would like to check with the list
if this is a known bug.

Here is my setup:

1. rails 0.12.1, mysql server, lighttpd with fcgi on a debian server
2. using login_generator
3. added this to the bottom of controllers/application.rb

# limit sessions to 1hr.
ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS.update(:session_expires
=> 1.hour.from_now)

Everything works fine in development environment. I can login and out.
After one hour of no activity the session expires and the user have to
re-login when he next clicks on a link. On successful re-login, the user
is brought back to the link he clicked. So far so good.

Now, if I switch to production environment (after clearing all existing
session files), the user is able to login as per normal. After one hour
the session expiry will force the user to re-login. However, this time
even though the authentication is successful, for some unknown reason
when the user is brought to the link he clicked, the cgi session
variable somehow got reset. I did a 

  logger.debug @session.inspect

to confirm this. The end result is that the user is kicked back to the
login page. All subsequent login attempts result in the same thing until
the lighttpd server is restarted.

If I change the line in environments/production.rb from

  Dependencies.mechanism = :require

to 

  Dependencies.mechanism = :load

the re-login on session expiry works.

If anyone has any idea why this is happening or any workarounds I would
love to hear from you. Been stuck with this for a day already. In the
mean time, I am going to disable the session expiry and do a daily
cronjob to remove the session files in /tmp.

cheers,
mengkuan

Meng Kuan wrote:
> Everything works fine in development environment. I can login and out.
> After one hour of no activity the session expires and the user have to
> re-login when he next clicks on a link. On successful re-login, the user
> is brought back to the link he clicked. So far so good.
> 
> Now, if I switch to production environment (after clearing all existing
> session files), the user is able to login as per normal. After one hour
> the session expiry will force the user to re-login. However, this time
> even though the authentication is successful, for some unknown reason
> when the user is brought to the link he clicked, the cgi session
> variable somehow got reset. 
I think you''re on the right track -- in production mode the application
code is cached, so the `DEFAULT_SESSION_OPTIONS.update` happens only 
once (the first time the app is loaded).

Maybe setting the session options in a controller filter would keep the 
expiry updated better?

class ApplicationController < ActionController::Base
   before_filter {|c| 
c::CgiRequest::DEFAULT_SESSION_OPTIONS.update(:session_expires => 
1.hour.from_now)}
   ..
end

--
  Lee

> I think you''re on the right track -- in production mode the
application
> code is cached, so the `DEFAULT_SESSION_OPTIONS.update` happens only
> once (the first time the app is loaded).
> 
> Maybe setting the session options in a controller filter would keep the
> expiry updated better?
> 
> class ApplicationController < ActionController::Base
>    before_filter {|c|
> c::CgiRequest::DEFAULT_SESSION_OPTIONS.update(:session_expires =>
> 1.hour.from_now)}
Would that not reset the session timeout to be an hour after the last
access of the user?   (Rather than some absolute time, which is what
the OP had, I think...)

I''m curious since the "sliding window since last access"
behavior is
what I''m actually looking for and was thinking of trying this exact
mechanism.

Would you mind posting an example of your application.rb? I tried
doing this and got errors:

NameError (uninitialized constant
ActionWebService::Dispatcher::ActionController::CgiRequest):
    app/controllers/application.rb:7
   
/usr/lib/ruby/gems/1.8/gems/activesupport-1.0.4/lib/active_support/dependencies.rb:189:in
`load''
   
/usr/lib/ruby/gems/1.8/gems/activesupport-1.0.4/lib/active_support/dependencies.rb:189:in
`load''
   
/usr/lib/ruby/gems/1.8/gems/activesupport-1.0.4/lib/active_support/dependencies.rb:38:in
`require_or_load''
   
/usr/lib/ruby/gems/1.8/gems/activesupport-1.0.4/lib/active_support/dependencies.rb:21:in
`depend_on''
   
/usr/lib/ruby/gems/1.8/gems/activesupport-1.0.4/lib/active_support/dependencies.rb:167:in
`require_dependency''
   
/usr/lib/ruby/gems/1.8/gems/activesupport-1.0.4/lib/active_support/dependencies.rb:167:in
`require_dependency''
   
/usr/lib/ruby/gems/1.8/gems/activesupport-1.0.4/lib/active_support/dependencies.rb:123:in
`load_file!''
   
/usr/lib/ruby/gems/1.8/gems/activesupport-1.0.4/lib/active_support/dependencies.rb:92:in
`const_load!''
   
/usr/lib/ruby/gems/1.8/gems/activesupport-1.0.4/lib/active_support/dependencies.rb:76:in
`each''
   
/usr/lib/ruby/gems/1.8/gems/activesupport-1.0.4/lib/active_support/dependencies.rb:76:in
`const_load!''
    /usr/lib/ruby/gems/1.8/gems/rails-0.12.1/lib/dispatcher.rb:44:in
`prepare_application''
    /usr/lib/ruby/gems/1.8/gems/rails-0.12.1/lib/dispatcher.rb:31:in
`dispatch''
    /Users/stmpjmpr/Sites/rails/public/dispatch.rb:10
   
/usr/lib/ruby/gems/1.8/gems/activesupport-1.0.4/lib/active_support/dependencies.rb:189:in
`load''
   
/usr/lib/ruby/gems/1.8/gems/activesupport-1.0.4/lib/active_support/dependencies.rb:189:in
`load''
    /usr/lib/ruby/gems/1.8/gems/rails-0.12.1/lib/webrick_server.rb:82:in
`handle_dispatch''
    /usr/lib/ruby/gems/1.8/gems/rails-0.12.1/lib/webrick_server.rb:35:in
`service''
    /usr/lib/ruby/1.8/webrick/httpserver.rb:104:in `service''
    /usr/lib/ruby/1.8/webrick/httpserver.rb:65:in `run''
    /usr/lib/ruby/1.8/webrick/server.rb:155:in `start_thread''
    /usr/lib/ruby/1.8/webrick/server.rb:144:in `start''
    /usr/lib/ruby/1.8/webrick/server.rb:144:in `start_thread''
    /usr/lib/ruby/1.8/webrick/server.rb:94:in `start''
    /usr/lib/ruby/1.8/webrick/server.rb:89:in `each''
    /usr/lib/ruby/1.8/webrick/server.rb:89:in `start''
    /usr/lib/ruby/1.8/webrick/server.rb:79:in `start''
    /usr/lib/ruby/1.8/webrick/server.rb:79:in `start''
    /usr/lib/ruby/gems/1.8/gems/rails-0.12.1/lib/webrick_server.rb:21:in
`dispatch''
    ./script/server:48

--Scott

On 5/17/05, Michael Campbell
<michael.campbell-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> > I think you''re on the right track -- in production mode the
application
> > code is cached, so the `DEFAULT_SESSION_OPTIONS.update` happens only
> > once (the first time the app is loaded).
> >
> > Maybe setting the session options in a controller filter would keep
the
> > expiry updated better?
> >
> > class ApplicationController < ActionController::Base
> >    before_filter {|c|
> > c::CgiRequest::DEFAULT_SESSION_OPTIONS.update(:session_expires =>
> > 1.hour.from_now)}
> 
> Would that not reset the session timeout to be an hour after the last
> access of the user?   (Rather than some absolute time, which is what
> the OP had, I think...)
> 
> I''m curious since the "sliding window since last access"
behavior is
> what I''m actually looking for and was thinking of trying this
exact
> mechanism.
> _______________________________________________
> Rails mailing list
> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
> 

-- 

--Scott

On Tue, 2005-05-17 at 12:07 -0400, Lee O''Mara
wrote:
> I think you''re on the right track -- in production mode the
application
> code is cached, so the `DEFAULT_SESSION_OPTIONS.update` happens only 
> once (the first time the app is loaded).
> 
> Maybe setting the session options in a controller filter would keep the 
> expiry updated better?
> 
> class ApplicationController < ActionController::Base
>    before_filter {|c| 
> c::CgiRequest::DEFAULT_SESSION_OPTIONS.update(:session_expires => 
> 1.hour.from_now)}
>    ..
> end
This is what I have now in application.rb:
----------------------------------------------------
require_dependency "login_system"

class ApplicationController < ActionController::Base
  include LoginSystem
  model :user
  before_filter {|c|
c::CgiRequest::DEFAULT_SESSION_OPTIONS.update(:session_expires =>
1.minute.from_now)}
end
----------------------------------------------------

However, this gives me the following error after I logged in:

	#<DashboardController:0x40b923c0> is not a class/module

Where DashboardController is the first controller the user is redirected
to after login.

cheers,
mengkuan

On Tue, 2005-05-17 at 12:50 -0400, Michael Campbell
wrote:
> I''m curious since the "sliding window since last access"
behavior is
> what I''m actually looking for and was thinking of trying this
exact
> mechanism.
Actually that''s the exact behaviour when you put the line

ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS.update(:session_expires
=> 4.hour.from_now)

in your application.rb.

The only thing is that when run in production mode the re-login will
fail after the session window has expired because the session variable
got reset somehow _after_ a successful re-login. Everything works in
development mode. And I can''t use development mode because the memory
usage of the FCGI processes will just keep ballooning over time.

cheers,
mengkuan

Scott Hill wrote:
> Would you mind posting an example of your application.rb? I tried
> doing this and got errors:
> 
[snip]
> 
> --Scott
> 
> On 5/17/05, Michael Campbell
<michael.campbell-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> 
>>>I think you''re on the right track -- in production mode the
application
>>>code is cached, so the `DEFAULT_SESSION_OPTIONS.update` happens only
>>>once (the first time the app is loaded).
>>>
>>>Maybe setting the session options in a controller filter would keep
the
>>>expiry updated better?
>>>
>>>class ApplicationController < ActionController::Base
>>>   before_filter {|c|
>>>c::CgiRequest::DEFAULT_SESSION_OPTIONS.update(:session_expires =>
>>>1.hour.from_now)}
My previous version was incorrect(sorry ''bout that), a problem of scope
mostly. This seems to works for me:

class ApplicationController < ActionController::Base
   before_filter {
 
::ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS.update(:session_expires 
=> 1.hour.from_now)
   }
end

note the :: preceding ActionController.
--
  Lee

On Tue, 2005-05-17 at 22:52 -0400, Lee O''Mara
wrote:
> class ApplicationController < ActionController::Base
>    before_filter {
>  
>
::ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS.update(:session_expires
> => 1.hour.from_now)
>    }
> end
> 
> note the :: preceding ActionController.
Woo hoo! Just tested it and it works now in production mode. Thank you
very much. Will put this info up on the wiki.

cheers,
mengkuan

On 5/18/05, Meng Kuan
<mengkuan-i6YX4oj4YlBLCxcys0AdiZqQE7yCjDx5@public.gmane.org>
wrote:
> On Tue, 2005-05-17 at 22:52 -0400, Lee O''Mara wrote:
> > class ApplicationController < ActionController::Base
> >    before_filter {
> >
> >
::ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS.update(:session_expires
> > => 1.hour.from_now)
> >    }
> > end
> >
> > note the :: preceding ActionController.
We really should make this easier.
> Woo hoo! Just tested it and it works now in production mode. Thank you
> very much. Will put this info up on the wiki.
> 
> cheers,
> mengkuan
> 
> 
> _______________________________________________
> Rails mailing list
> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
> 

-- 
Cheers

Koz

>> note the :: preceding ActionController.
What does the :: do?

Nev

Neville Burnell wrote:
>>>note the :: preceding ActionController.
> 
> What does the :: do?
> 
:: is the scope operator. Quoting from the first pickaxe[1], under the 
section "Scope of Constants and Variables":

Constants defined outside any class or module may be accessed unadorned 
or by using the scope operator ``::'''' with no prefix.

[1] http://www.ruby-doc.org/docs/ProgrammingRuby/html/language.html#UP

hth,

Lee