Best IT Recipes

Remember Me Implementation in a Rails Application

My Rails application has a window that says "remember me." Users who check this box should remain logged in even after closing their browser. I keep track of whether users are registered by storing their identifier in a user session.

But sessions are implemented in Rails as session cookies that are not persistent. I can make them stubborn:

class ApplicationController < ActionController::Base before_filter :update_session_expiration_date private def update_session_expiration_date options = ActionController::Base.session_options unless options[:session_expires] options[:session_expires] = 1.year.from_now end end end

But it looks like a hack, which is surprising for such common functions. Is there a better way?

Edit

Gareth's answer is pretty good, but I still need an answer from CookieSessionStore familiar with Rails 2 (because of this unique CookieSessionStore ).

+45
ruby ruby-on-rails
Aug 02 '08 at 12:56
source share
8 answers

I spent some time thinking about it and made some conclusions. Rails session cookies are protected against unauthorized access by default, so you really don't have to worry about cookies changing on the client side.

Here is what I did:

  • The session cookie is set to longevity (6 months or so).
  • Inside Session Storage
    • The date "expires" set for logging in + 24 hours.
    • user ID
    • Authenticated = true, so I can allow anonymous user messages (not dangerous because of tamper protection)
  • I add a before_filter file to the Application Controller, which checks the part of the "expires on" session.

When the user checks the Remember Me checkbox, I just set the session date [: expireson] to log in + 2 weeks. No one can steal a cookie and stay forever forever or masquerade as another user, because the rail session cookie is protected from unauthorized access.

+10
Sep 16 '08 at 21:37
source share

You will almost certainly not renew your session cookie in order to live long.

Although this is not about rails in this article , you will find a few examples to explain the best Remember Me methods.

In summary, although you should:

  • Add an extra column to the user table to accept a large random value
  • Set a long-lived cookie on the client that combines user ID and random value
  • When a new session begins, check for the id / value cookie and authenticate the new user if they match.

The author also recommends that you do not invalidate the random value and reset the cookie every time you log in. Personally, I donโ€™t like it, because then you canโ€™t enter the site on two computers. I would like to make sure that my password change function also reset a random variable that blocks sessions on other machines.

As a final note, the tips that he gives to perform certain functions (password change / email change, etc.) that are not available for auto-session sessions are noteworthy, but rarely found in the real world.

+25
Aug 02 '08 at 16:10
source share

I would advise you to either take a look at the RESTful_Authentication plugin that has an implementation of this, or simply switch your implementation to using RESTful Authentication_plugin. There is a good explanation of how to use this plugin in Railscasts:

railscasts # 67 restful_authentication

Here is a link to the plugin itself

restful_authentication

+9
Sep 17 '08 at 14:17
source share

The restful_authentication plugin has a good implementation:

http://agilewebdevelopment.com/plugins/restful_authentication

+5
Aug 6 '08 at 21:30
source share

This is a pretty good review of the experience of one guy who creates 30-day ongoing sessions.

WARNING: blog post since 2006

http://grahamglass.blogs.com/main/2006/05/rails_sessionsr.html

+3
Aug 03 '08 at 1:53
source share

Please note that you do not want to save your session, but only your identity. You will create a new session for them when they return to your site. Typically, you simply assign a GUID to a user, write it to your cookie, and then use it to look for them when they return. Do not use your username or user ID for the token, as it can be easily guessed and allow ingenious visitors to grab other users' accounts.

+3
01 Sep '08 at 21:46
source share

I would go to Devise for a brilliant authentication solution for rails.

+3
Jan 16 '11 at 4:26
source share

It helped me:

http://squarewheel.wordpress.com/2007/11/03/session-cookie-expiration-time-in-rails/

Now my CookieStore sessions expire in two weeks, after which the user must again send their credentials to re-enter the system for another two weeks.

Basqually, it is as simple as:

  • including one file in the vendor / plugins directory
  • set session expiration value in application controller using only one line
+2
Sep 20 '08 at 8:58
source share


More articles:


All Articles