It seems Rails sessions by default only last, well, a browsing session. If the Rails app keeps track of logged-in state by sessions, that state doesn''t survive restarting the browser. How best to change this behaviour, to make the session cookie live forever, or at least beyond browser restarts? It was suggested to me on IRC to combine sessions with code to generate a unique id and then store that in a "normal cookie" as well as in the DB, and then restore the session out of that, but that seems like re-inventing session handling. What are some better solutions? -- Posted via http://www.ruby-forum.com/.
You can set the expiration time of the cookie in the Rails code when you create it. Just include the :expires option in the hash when you define the cookie. On Jan 8, 2006, at 3:35 PM, Henrik wrote:> It seems Rails sessions by default only last, well, a browsing > session. > If the Rails app keeps track of logged-in state by sessions, that > state > doesn''t survive restarting the browser. > > How best to change this behaviour, to make the session cookie live > forever, or at least beyond browser restarts? > > It was suggested to me on IRC to combine sessions with code to > generate > a unique id and then store that in a "normal cookie" as well as in the > DB, and then restore the session out of that, but that seems like > re-inventing session handling. > > What are some better solutions? > > -- > Posted via http://www.ruby-forum.com/. > _______________________________________________ > Rails mailing list > Rails@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/rails-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-. -.-.-.-.-.-.-.-.-.-.-.-.-.-.- Dan Shafer Technology Visionary - Technology Assessment - Documentation "Looking at technology from every angle" http://www.eclecticity.com
On this note, how do people deal with persistent logins, such as ''remember me'' functions when logging in? Just store a unique ID in a cookie as mentioned below, or some other method? Thanks. -- R.Livsey http://livsey.org Dan Shafer wrote:> You can set the expiration time of the cookie in the Rails code when > you create it. Just include the :expires option in the hash when you > define the cookie. > > > On Jan 8, 2006, at 3:35 PM, Henrik wrote: > >> It seems Rails sessions by default only last, well, a browsing session. >> If the Rails app keeps track of logged-in state by sessions, that state >> doesn''t survive restarting the browser. >> >> How best to change this behaviour, to make the session cookie live >> forever, or at least beyond browser restarts? >> >> It was suggested to me on IRC to combine sessions with code to generate >> a unique id and then store that in a "normal cookie" as well as in the >> DB, and then restore the session out of that, but that seems like >> re-inventing session handling. >> >> What are some better solutions? > >
Whether in Rails or other apps, I handle the "remember me" and auto- login stuff pretty much the same. I use cookies rather than the server database. If the user loses the cookie or tries to log in from a different machine, s/he has to go through the login process again but that''s the only real downside. I think of of the user as an object that should know how to log itself in. MVC, ya know! :-) On Jan 8, 2006, at 8:38 PM, Richard Livsey wrote:> On this note, how do people deal with persistent logins, such as > ''remember me'' functions when logging in? > Just store a unique ID in a cookie as mentioned below, or some > other method? > > Thanks. > > -- > R.Livsey > http://livsey.org > > > Dan Shafer wrote: > >> You can set the expiration time of the cookie in the Rails code >> when you create it. Just include the :expires option in the hash >> when you define the cookie. >> >> >> On Jan 8, 2006, at 3:35 PM, Henrik wrote: >> >>> It seems Rails sessions by default only last, well, a browsing >>> session. >>> If the Rails app keeps track of logged-in state by sessions, >>> that state >>> doesn''t survive restarting the browser. >>> >>> How best to change this behaviour, to make the session cookie live >>> forever, or at least beyond browser restarts? >>> >>> It was suggested to me on IRC to combine sessions with code to >>> generate >>> a unique id and then store that in a "normal cookie" as well as >>> in the >>> DB, and then restore the session out of that, but that seems like >>> re-inventing session handling. >>> >>> What are some better solutions? >> >> > > > _______________________________________________ > Rails mailing list > Rails@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/rails-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-. -.-.-.-.-.-.-.-.-.-.-.-.-.-.- Dan Shafer Technology Visionary - Technology Assessment - Documentation "Looking at technology from every angle" http://www.eclecticity.com
Dan Shafer wrote:> You can set the expiration time of the cookie in the Rails code when > you create it. Just include the :expires option in the hash when you > define the cookie.Thank you. Could you please expound on this? I know that you can set the expire time on cookies, but this concerns sessions, where you never set cookies yourself. E.g. session[''foo''] = ''bar'' Is there a way to inject e.g. :expires into the session cookie? -- Henrik -- Posted via http://www.ruby-forum.com/.
Dan Shafer wrote:> Whether in Rails or other apps, I handle the "remember me" and auto- > login stuff pretty much the same. I use cookies rather than the > server database. If the user loses the cookie or tries to log in from > a different machine, s/he has to go through the login process again > but that''s the only real downside. > > I think of of the user as an object that should know how to log > itself in. MVC, ya know! :-)Well, the downside with cookies is that you can''t very well set e.g. cookie[''logged-in-user''] = ''foo'' since anyone could spoof it. I suppose you could do cookie[''logged-in-user''] = ''foo'' cookie[''logged-in-pw-hash''] = ''b4r010101010'' which might perhaps not be much less safe than the session id hash. However, it is certainly possible to make session cookies persistent. Rails is just so high-level that I don''t know how to go about it. -- Henrik -- Posted via http://www.ruby-forum.com/.
Sorry, but I can''t expound further on session cookies. I''m too new to Ruby and I''d probably get it wrong. Hopefully someone else will jump in here with more wisdom than I. On Jan 9, 2006, at 12:45 AM, Henrik wrote:> Dan Shafer wrote: >> You can set the expiration time of the cookie in the Rails code when >> you create it. Just include the :expires option in the hash when you >> define the cookie. > > Thank you. Could you please expound on this? I know that you can > set the > expire time on cookies, but this concerns sessions, where you never > set > cookies yourself. E.g. > > session[''foo''] = ''bar'' > > Is there a way to inject e.g. :expires into the session cookie? > > -- > Henrik > > -- > Posted via http://www.ruby-forum.com/. > _______________________________________________ > Rails mailing list > Rails@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/rails-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-. -.-.-.-.-.-.-.-.-.-.-.-.-.-.- Dan Shafer Technology Visionary - Technology Assessment - Documentation "Looking at technology from every angle" http://www.eclecticity.com