Greg Hauptmann wrote:> > Thanks Erik - very interesting > > Based on my readings it would seem you could say that Rails does not provide > web application session expiry. Whilst there is support for expiry of > cookies it seems well documented that relying on cookies is prone to > user-end abuse. > > The implication is that one has to build one''s own session management (time > based session management and expiry). >While this is true there are a number of plugins available that help reduce implementation effort.> The major options in terms of the > detection of this seems to be to store last application usage somewhere > (session, database etc) but then in terms of when the session is check do > this either: > > a) periodically, e.g. by using a sweeper type arrangement OR > b) based on a before filters in the controller > > Any comments guys on which is these is the better mechanism, noting it would > potentially be called each request? >I would say you will need to use BOTH above methods. b) can be implement with relative ease. You can use :except (or :only) to control which actions are filtered. a) require a bit more work but doable (is that a word?) as Craig have suggested. This is where you can clean up "abandoned" sessions. Long www.edgesoft.ca/blog/read/2 --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Hi, Does rails provide session timeout out-of-the-box? (i.e. like java servlets provide in J2EE) or does one need to implement this similar to the Rails Recipes book? Tks --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
I don''t believe so. I added this functionality to my application, though. Take a look at my blog for the code. http://burningtimes.net/articles/2006/10/15/paranoid-rails-session-storage Erik --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Thanks Erik - very interesting Based on my readings it would seem you could say that Rails does not provide web application session expiry. Whilst there is support for expiry of cookies it seems well documented that relying on cookies is prone to user-end abuse. The implication is that one has to build one''s own session management (time based session management and expiry). The major options in terms of the detection of this seems to be to store last application usage somewhere (session, database etc) but then in terms of when the session is check do this either: a) periodically, e.g. by using a sweeper type arrangement OR b) based on a before filters in the controller Any comments guys on which is these is the better mechanism, noting it would potentially be called each request? Greg On 11/4/06, Erik <erik.elmore-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> > > I don''t believe so. I added this functionality to my application, > though. Take a look at my blog for the code. > > http://burningtimes.net/articles/2006/10/15/paranoid-rails-session-storage > > > Erik > > > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On Sat, 2006-11-04 at 20:53 +1000, Greg Hauptmann wrote:> Thanks Erik - very interesting > > Based on my readings it would seem you could say that Rails does not > provide web application session expiry. Whilst there is support for > expiry of cookies it seems well documented that relying on cookies is > prone to user-end abuse. > > The implication is that one has to build one''s own session management > (time based session management and expiry). The major options in > terms of the detection of this seems to be to store last application > usage somewhere (session, database etc) but then in terms of when the > session is check do this either: > > a) periodically, e.g. by using a sweeper type arrangement OR > b) based on a before filters in the controller > > Any comments guys on which is these is the better mechanism, noting it > would potentially be called each request?---- I believe AWDWR covered file based sessions - or perhaps it was rails wiki that did...I forgot. I think I got this from Rails Recipes (ActiveRecord based sessions) class SessionCleaner def self.remove_stale_sessions CGI::Session::ActiveRecordStore::Session Session.destroy_all( [''updated_at < ?'', 30.minutes.ago] ) end end for using cron to periodically call this via script/runner Craig --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Hi Long - was there a particular plugin (plugins) you had in mind here? On 7/5/02, Long <long755-bJEeYj9oJeDQT0dZR+AlfA@public.gmane.org> wrote:> > > While this is true there are a number of plugins available that help > reduce implementation > effort. > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Greg Hauptmann wrote:>> Hi Long - was there a particular plugin (plugins) you had in mind here? >Greg, If you Google ''session expire'' on this group you will find some references. Here is a previous thread you may find of use: http://groups.google.ca/group/rubyonrails-talk/browse_thread/thread/7e61b201ac19677b/3c488c21682413a0?lnk=gst&q=session+expire&rnum=4#3c488c21682413a0 I have written a similar plugin for my own use also. I keep promissing to release it but just not finding the time to get it done (sigh). Long www.edgesoft.ca/blog/read/2 --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Tks Long - I follow this up / read through this. One thing still not clear to me (need to do more reading) is whether the out-of-the-box rails session timeout is just using the cookie expiry concept or not? i.e. does the rails session infra-structure add additional server side checks & balances to ensure that any tampering of cookie information at the client end can not change the timeout period for the session for example? So is the rails session timeout facility adequate from a security point of view? (i.e. if you didn''t want more functionality like seeing who is logged on, could one use it and feel comfortable?) Greg --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Greg Hauptmann wrote:> > Tks Long - I follow this up / read through this. >You''re welcome.> One thing still not clear to me (need to do more reading) is whether the > out-of-the-box rails session timeout is just using the cookie expiry concept > or not? >I don''t think rails uses cookie expiry by default but one can certainly set it. However the cookie itself is at the mercy of the browser/user. It can be cleared at any time so it can''t be relied upon. Out-of-the-box rails session lives forever so if we want to we have to add the filter to expire the session. This will only handle clients that try to reconnect after a long period of inactivity.> i.e. does the rails session infra-structure add additional server > side checks & balances to ensure that any tampering of cookie information at > the client end can not change the timeout period for the session for > example? >I don''t think rails performs additional checks automatically. A rails session lives on the server-side and anything you store in the session stays on the server-side. The only thing rails passes to the client is the session_id (in the form of a cookie). Assuming cookie is enabled, on subsequent requests rails makes sure the correct session is reconnected. If your app has not set any other value in the client cookie then there is nothing to tamper with, except the session_id value. So the answer is no, the client can not change the timeout period through tampering.> So is the rails session timeout facility adequate from a security > point of view? (i.e. if you didn''t want more functionality like seeing who > is logged on, could one use it and feel comfortable?) >From a security stand point rails'' session handling is not any different from other technologies such as PHP or Java. They all use cookie to store the session_id in order to maintain user states across HTTP requests. In this context the facility is adequate. If you have a member-only area consider using SSL (via HTTPS) to gain an additional layer of protection. Long www.edgesoft.ca/blog/read/2 --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Tks Long - this really helped. Can I ask, at this point in time, which plugin in (or code albeit on a blog), would you recommend if I wanted to add (a) ability to set defined session timeout period and (b) be able to get a list of who is currently using the website [anonymous & logged on user names]? Does something exist now? I did see Eric''s post here<http://burningtimes.net/articles/2006/10/15/paranoid-rails-session-storage> so I''m wondering to try to incorporate this approach, or leverage a separate existing plugin. Perhaps at this point in time the best approach is to take the bits you need from all of the posts/plugins and come up with something that suites one''s own needs (i.e. as it doesn''t seem like there is a clear defacto popular plugin in this area yet) Tks again On 11/5/06, Long <long755-bJEeYj9oJeDQT0dZR+AlfA@public.gmane.org> wrote:> > > Greg Hauptmann wrote: > > > > Tks Long - I follow this up / read through this. > > > You''re welcome. > > > One thing still not clear to me (need to do more reading) is whether the > > out-of-the-box rails session timeout is just using the cookie expiry > concept > > or not? > > > I don''t think rails uses cookie expiry by default but one can certainly > set it. > However the cookie itself is at the mercy of the browser/user. It can be > cleared > at any time so it can''t be relied upon. > > Out-of-the-box rails session lives forever so if we want to we have to add > the > filter to expire the session. This will only handle clients that try to > reconnect > after a long period of inactivity. > > > i.e. does the rails session infra-structure add additional server > > side checks & balances to ensure that any tampering of cookie > information at > > the client end can not change the timeout period for the session for > > example? > > > I don''t think rails performs additional checks automatically. A rails > session lives on the > server-side and anything you store in the session stays on the > server-side. The only thing > rails passes to the client is the session_id (in the form of a cookie). > Assuming cookie is > enabled, on subsequent requests rails makes sure the correct session is > reconnected. If > your app has not set any other value in the client cookie then there is > nothing to tamper > with, except the session_id value. So the answer is no, the client can not > change the timeout > period through tampering. > > > So is the rails session timeout facility adequate from a security > > point of view? (i.e. if you didn''t want more functionality like seeing > who > > is logged on, could one use it and feel comfortable?) > > > From a security stand point rails'' session handling is not any different > from other > technologies such as PHP or Java. They all use cookie to store the > session_id in order > to maintain user states across HTTP requests. In this context the facility > is adequate. > If you have a member-only area consider using SSL (via HTTPS) to gain an > additional > layer of protection. > > Long > www.edgesoft.ca/blog/read/2 > > > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Greg Hauptmann wrote:> Tks Long - this really helped. Can I ask, at this point in time, which > plugin in (or code albeit on a blog), would you recommend if I wanted to add > (a) ability to set defined session timeout period and >Here are some resources to start with: http://opensource.agileevolved.com/svn/root/rails_plugins/ http://www.agilewebdevelopment.com/plugins/recent (b) be able to get a> list of who is currently using the website [anonymous & logged on user > names]? Does something exist now? >I haven''t looked but you may have to roll your own. Perhaps you may find something from above links. Best of luck, Long www.edgesoft.ca/blog/read/2 --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---