Rails - May 2005 - Keeping Someone Logged In For 2 Weeks

How do people keep people logged into a system for two weeks?  Is  
there an option to make sure cookies don''t expire for two weeks even  
if user closes his/her browser window?

IIRC, both cookies and sessions in rails are default to "forever".

On 5/30/05, John Kopanas
<john.kopanas-O1KSuMybMhqBUy7/sJONFg@public.gmane.org>
wrote:
> How do people keep people logged into a system for two weeks?  Is
> there an option to make sure cookies don''t expire for two weeks
even
> if user closes his/her browser window?
> _______________________________________________
> Rails mailing list
> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>

On 5/30/05, Michael Campbell
<michael.campbell-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> On 5/30/05, John Kopanas
<john.kopanas-O1KSuMybMhqBUy7/sJONFg@public.gmane.org> wrote:
> > How do people keep people logged into a system for two weeks?  Is
> > there an option to make sure cookies don''t expire for two
weeks even
> > if user closes his/her browser window?
> 
> IIRC, both cookies and sessions in rails are default to
"forever".
In my experience, cookies have expired with browser sessions. Are
eternal cookies a recent development?

Sincerely,

Tom Reinhart
tom-V0YqjHVuocLQT0dZR+AlfA@public.gmane.org
http://AllTom.com/

Typo''s source code has a nice example,

cookies[''author''] = { :value => @comment.author, :expires
=>
2.weeks.from_now } 
cookies[''url''] = { :value => @comment.url, :expires =>
2.weeks.from_now }

does it work?


On 5/31/05, Tom Reinhart <alltom-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> 
> On 5/30/05, Michael Campbell
<michael.campbell-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> > On 5/30/05, John Kopanas
<john.kopanas-O1KSuMybMhqBUy7/sJONFg@public.gmane.org> wrote:
> > > How do people keep people logged into a system for two weeks? Is
> > > there an option to make sure cookies don''t expire for
two weeks even
> > > if user closes his/her browser window?
> >
> > IIRC, both cookies and sessions in rails are default to
"forever".
> 
> In my experience, cookies have expired with browser sessions. Are
> eternal cookies a recent development?
> 
> Sincerely,
> 
> Tom Reinhart
> tom-V0YqjHVuocLQT0dZR+AlfA@public.gmane.org
> http://AllTom.com/
> _______________________________________________
> Rails mailing list
> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
> 


-- 
choonkeat @ http://blog.yanime.org/
this email is: [ ] bloggable [ x ] ask first [ ] private


_______________________________________________
Rails mailing list
Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
http://lists.rubyonrails.org/mailman/listinfo/rails

On 5/30/05, Tom Reinhart <alltom-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> On 5/30/05, Michael Campbell
<michael.campbell-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> > On 5/30/05, John Kopanas
<john.kopanas-O1KSuMybMhqBUy7/sJONFg@public.gmane.org> wrote:
> > > How do people keep people logged into a system for two weeks?  Is
> > > there an option to make sure cookies don''t expire for
two weeks even
> > > if user closes his/her browser window?
> >
> > IIRC, both cookies and sessions in rails are default to
"forever".
> 
> In my experience, cookies have expired with browser sessions. Are
> eternal cookies a recent development?

I looked this up in the PDF, and according to it (I''ll admit to not
having actually tested this):

"If you create a cookie by assigning a value to cookies[name], its options
will take a default set of values: it will apply to the whole site, it will
never expire, and it will apply to the domain of the host doing the
setting."

Is that not the case?

On 5/31/05, Michael Campbell
<michael.campbell-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> On 5/30/05, Tom Reinhart
<alltom-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> > In my experience, cookies have expired with browser sessions. Are
> > eternal cookies a recent development?
> 
> I looked this up in the PDF, and according to it (I''ll admit to
not
> having actually tested this):
> 
> "If you create a cookie by assigning a value to cookies[name], its
options
> will take a default set of values: it will apply to the whole site, it will
> never expire, and it will apply to the domain of the host doing the
setting."
> 
> Is that not the case?
Oops! I''ve never used the cookies object. I have used the session
object in my programs (including the login generator) and the session
objects seem to go away when the browser is closed. I''m not sure why
keys created in session would have different life spans from those in
cookies, though.

Sincerely,

Tom Reinhart
tom-V0YqjHVuocLQT0dZR+AlfA@public.gmane.org
http://AllTom.com/

Tom,

Honest mistake... Sessions only exist while the browser is open. 
They''re terminated as soon as the browser''s instance is
killed.

HTH!

On 5/31/05, Tom Reinhart <alltom-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> On 5/31/05, Michael Campbell
<michael.campbell-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> > On 5/30/05, Tom Reinhart
<alltom-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> > > In my experience, cookies have expired with browser sessions. Are
> > > eternal cookies a recent development?
> >
> > I looked this up in the PDF, and according to it (I''ll admit
to not
> > having actually tested this):
> >
> > "If you create a cookie by assigning a value to cookies[name],
its options
> > will take a default set of values: it will apply to the whole site, it
will
> > never expire, and it will apply to the domain of the host doing the
setting."
> >
> > Is that not the case?
> 
> Oops! I''ve never used the cookies object. I have used the session
> object in my programs (including the login generator) and the session
> objects seem to go away when the browser is closed. I''m not sure
why
> keys created in session would have different life spans from those in
> cookies, though.
> 
> Sincerely,
> 
> Tom Reinhart
> tom-V0YqjHVuocLQT0dZR+AlfA@public.gmane.org
> http://AllTom.com/
> _______________________________________________
> Rails mailing list
> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
> 

-- 
- Frank
FrankManno.com

<a
href="http://www.spreadfirefox.com/?q=affiliates&amp;id=2496&amp;t=1">Get
Firefox!</a>

Be careful. Cookies are actually send to the client while sessions are
not. It might not be the best idea to send the user data to the client
as its plaintext by default.

A better idea would be to just store the login and the (sha1 hashed)
password to the client and validate the user on each page request
anew.


On 5/31/05, Tom Reinhart <alltom-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> On 5/31/05, Michael Campbell
<michael.campbell-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> > On 5/30/05, Tom Reinhart
<alltom-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> > > In my experience, cookies have expired with browser sessions. Are
> > > eternal cookies a recent development?
> >
> > I looked this up in the PDF, and according to it (I''ll admit
to not
> > having actually tested this):
> >
> > "If you create a cookie by assigning a value to cookies[name],
its options
> > will take a default set of values: it will apply to the whole site, it
will
> > never expire, and it will apply to the domain of the host doing the
setting."
> >
> > Is that not the case?
> 
> Oops! I''ve never used the cookies object. I have used the session
> object in my programs (including the login generator) and the session
> objects seem to go away when the browser is closed. I''m not sure
why
> keys created in session would have different life spans from those in
> cookies, though.
> 
> Sincerely,
> 
> Tom Reinhart
> tom-V0YqjHVuocLQT0dZR+AlfA@public.gmane.org
> http://AllTom.com/
> _______________________________________________
> Rails mailing list
> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
> 

-- 
Tobi
http://www.snowdevil.ca - Snowboards that don''t suck
http://typo.leetsoft.com - Open source weblog engine
http://blog.leetsoft.com - Technical weblog

Can the default cookie used by rails be configured to never expire? 
>From what I''ve seen, the cookie used to associate the user with
the
server session is lost once the browser is closed.

Note that even though the cookie is gone, the session still exists
(albeit, it is now useless).  You need to periodically delete stale
sessions yourself.

Tobias Luetke wrote:

Be careful. Cookies are actually send to the client while sessions are
not. It might not be the best idea to send the user data to the client
as its plaintext by default.

A better idea would be to just store the login and the (sha1 hashed)
password to the client and validate the user on each page request
anew.

On 5/31/05, Tom Reinhart  wrote:

On 5/31/05, Michael Campbell  wrote:

On 5/30/05, Tom Reinhart  wrote:

In my experience, cookies have expired with browser sessions. Are
eternal cookies a recent development?

I looked this up in the PDF, and according to it (I''ll admit to not
having actually tested this):

"If you create a cookie by assigning a value to cookies[name], its options
will take a default set of values: it will apply to the whole site, it will
never expire, and it will apply to the domain of the host doing the
setting."

Is that not the case?

Oops! I''ve never used the cookies object. I have used the session
object in my programs (including the login generator) and the session
objects seem to go away when the browser is closed. I''m not sure why
keys created in session would have different life spans from those in
cookies, though.

Sincerely,

Tom Reinhart
tom-V0YqjHVuocLQT0dZR+AlfA@public.gmane.org
http://AllTom.com/
_______________________________________________
Rails mailing list
Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
http://lists.rubyonrails.org/mailman/listinfo/rails


_______________________________________________
Rails mailing list
Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
http://lists.rubyonrails.org/mailman/listinfo/rails

Upon further investigation I found that Rails is supposed to default to
an eternal session cookie.   According to cgi_process.rb:

    # * :session_expires - the time the current
session expires, as a +Time+ object.  If not set, the session will
continue

    #   indefinitely.

But this is not the behaviour I''m seeing.  If I accept the defaults,
the cookie expires at the end of the browser session.  At least in
Firefox, the cookie is clearly labled as expirying upon closing the
browser.

I had to add the following to environment.rb to get the desired outcome:

ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS[:session_expires]
= Time.mktime(2037)

Hopefully in 2037 I''ll be retured and on a beach :P.

David Teare wrote:

Can the default cookie used by rails be configured to never expire? 
>From what I''ve seen, the cookie used to associate the user with
the
server session is lost once the browser is closed.

Note that even though the cookie is gone, the session still exists
(albeit, it is now useless).  You need to periodically delete stale
sessions yourself.

Tobias Luetke wrote:

Be careful. Cookies are actually send to the client while sessions are
not. It might not be the best idea to send the user data to the client
as its plaintext by default.

A better idea would be to just store the login and the (sha1 hashed)
password to the client and validate the user on each page request
anew.

On 5/31/05, Tom Reinhart  wrote:

On 5/31/05, Michael Campbell  wrote:

On 5/30/05, Tom Reinhart  wrote:

In my experience, cookies have expired with browser sessions. Are
eternal cookies a recent development?

I looked this up in the PDF, and according to it (I''ll admit to not
having actually tested this):

"If you create a cookie by assigning a value to cookies[name], its options
will take a default set of values: it will apply to the whole site, it will
never expire, and it will apply to the domain of the host doing the
setting."

Is that not the case?

Oops! I''ve never used the cookies object. I have used the session
object in my programs (including the login generator) and the session
objects seem to go away when the browser is closed. I''m not sure why
keys created in session would have different life spans from those in
cookies, though.

Sincerely,

Tom Reinhart
tom-V0YqjHVuocLQT0dZR+AlfA@public.gmane.org
http://AllTom.com/
_______________________________________________
Rails mailing list
Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
http://lists.rubyonrails.org/mailman/listinfo/rails

_______________________________________________
Rails mailing list
Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
http://lists.rubyonrails.org/mailman/listinfo/rails


_______________________________________________
Rails mailing list
Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
http://lists.rubyonrails.org/mailman/listinfo/rails

on 5/31/2005 6:41 PM David Teare said the following:

Upon further investigation I found that Rails is supposed to default to
an eternal session cookie.   According to cgi_process.rb:

    # * :session_expires - the time the current
session expires, as a +Time+ object.  If not set, the session will
continue

    #   indefinitely.

But this is not the behaviour I''m seeing.  If I accept the defaults,
the cookie expires at the end of the browser session.  At least in
Firefox, the cookie is clearly labled as expirying upon closing the
browser.

I had to add the following to environment.rb to get the desired outcome:

ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS[:session_expires]
= Time.mktime(2037)

Hopefully in 2037 I''ll be retured and on a beach :P.

This thread is confusing expiring of the session and the expiring of
the session cookie. 

The session cookie does not have an expiration date, unlike a
persistent cookie. Because of this, clients handle session cookies
differently than persistent cookies. Session cookies are not stored on
disk, they are stored in the memory. Like persistent cookies, when the
client issues a request to the server the session cookie is passed to
the server and the server then uses this cookie to reconnect the client
to the correct session. When the browser closes, the session cookies
are lost. Persistent cookies are written to disk (or otherwise
persisted.)

The session is a server-side concept. The session holds the state of
the interaction between the client and the server. The session will
normally expire after some period of inactivity because it is a load on
system resources (connections held open, memory allocated to per
session, etc.) and it leaves an opening for some second user to come in
and hijack a previous users session. I do not know why Rails chooses to
let the session continue forever. I suppose this a reasonable default
in a development environment; it is not what you would want in a
production server.

This discussion is mostly an aside from the original question in this
thread:

How do people keep people logged into a system
for two weeks?  Is  there an option to make sure cookies don''t expire
for two weeks even  if user closes his/her browser window?

Yes, you can easily make the cookies not expire for two weeks, or ever,
but if you want to reconnect the user to original session, you have to
jump through some hoops. (And you have to have the distinction between
session cookies and persistent cookies clear in mind.)

1) When the user first logs in, set a persistent cookie. For the
purposes of this discussion, call it userid. Set this cookie to expire
in 2 weeks.

2) So long as the user''s browser continues to pass back the session
cookie, continue. (Optional, update the expiration date of the userid
cookie.)

3) When the server detects a incoming request without a session cookie,
check for the userid cookie. If the userid cookie was passed in,
authenticate the user. If no cookies send the user to the login page.

There are similar mechanisms that would allow you to reconnect the user
to the actual session. They require poking the user''s sessionid into
the database when it is created, and then pulling that session back out
when the user reconnects. I don''t know the details for doing this in
Rails, I have not looked into the details of either session or cookie
management in Rails, but possibly it could be done with a redirect that
includes the original session cookie.

Ray


_______________________________________________
Rails mailing list
Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
http://lists.rubyonrails.org/mailman/listinfo/rails

On 5/31/05, John Kopanas
<john.kopanas-O1KSuMybMhqBUy7/sJONFg@public.gmane.org>
wrote:
> How do people keep people logged into a system for two weeks?  Is
> there an option to make sure cookies don''t expire for two weeks
even
> if user closes his/her browser window?
What I''ve done is that I''ve created a unique auth token when a
User
account is created. Then on login I''ve set a cookie containing either
the token or a hashed version of it (depending on level of paranoia).

Then in my authenticate method I check for that cookie if no session
object was found, if the cookie is there and it matches and auth token
setup the session objects again, if it wasn''t found then it
wasn''t a
valid user.

While that obviously isn''t perfectly secure, I think it is at least
equally secure as the sessions, since theoretically both
tokens/session id''s could be spoofed.

But yeah, the docs seems a bit unclear on it since they say the
following for the DEFAULT_SESSION_OPTIONS:
:session_expires - the time the current session expires, as a Time
object. If not set, the session will continue indefinitely.

But I''m not sure whether the current functionality is intentional and
the above only applies for as long as the browser session is active
(eg. user haven''t closed browser) or whether it should apply
regardless. If its the later then I guess it is bug.
That, or I''ve been missing something and reinventing the wheel.

- johan

-- 
http://johansorensen.com
http://theexciter.com

On 6/1/05, Ray Baxter <ray.baxter-mn4gwa5WIIQysxA8WJXlww@public.gmane.org>
wrote:
>  1) When the user first logs in, set a persistent cookie. For the purposes
> of this discussion, call it userid. Set this cookie to expire in 2 weeks.
>  
>  2) So long as the user''s browser continues to pass back the
session cookie,
> continue. (Optional, update the expiration date of the userid cookie.)
>  
>  3) When the server detects a incoming request without a session cookie,
> check for the userid cookie. If the userid cookie was passed in,
> authenticate the user. If no cookies send the user to the login page.
Your explanation demystified the problem for me at least. Thanks! :)
>  Ray
Sincerely,

Tom Reinhart
tom-V0YqjHVuocLQT0dZR+AlfA@public.gmane.org
http://AllTom.com/