Execution of "Remember me" in a Rails application
My Rails-app has a check in box with a "remember me" checkbox. Customers that examine that box needs to continue to be visited also after shutting their browser. I'm tracking whether customers are visited by saving their id in the customer's session.
Yet sessions are applied in Rails as session cookies, which are not relentless. I can make them relentless:
class ApplicationController < ActionController::Base before_filter :update_session_expiration_date private def update_session_expiration_date options = ActionController::Base.session_options unless options[:session_expires] options[:session_expires] = 1.year.from_now end end end
Yet that feels like a hack, which is shocking for such usual capability. Exists any kind of far better means?
Gareth's solution is respectable, yet I would certainly still such as a solution from a person accustomed to Rails 2 (as a result of it's one-of-a-kind
The restful_authentication plugin has an excellent execution of this:
This is a respectable write - up of one individuals experience of developing 30 - day relentless sessions.
CAUTION : post is from 2006
You need to likely not be expanding the session cookie to be lengthy lived.
Although not dealing especially with rails this article mosts likely to some size to clarify 'remember me' ideal techniques.
In recap though you need to :
- Add an added column to the customer table to approve a huge arbitrary value
- Set a lengthy lived cookie on the customer which incorporates the customer id and also the arbitrary value
- When a new session begins, look for the presence of the id/value cookie and also confirm the new customer if they match.
The writer additionally advises revoking the arbitrary value and also resetting the cookie at every login. Directly I do not such as that as you after that can not remain logged right into a website on 2 computer systems. I would certainly often tend to see to it my password transforming function additionally reset the arbitrary value hence shutting out sessions on various other equipments.
As a last note, the suggestions he offers on ensuring features (password change/email adjustment etc ) inaccessible to vehicle confirmed sessions is well worth adhering to yet hardly ever seen in the real life.