iprog.com: plugin: limited

plugin: limited_sessions

A plugin to modify Ruby on Rails’ standard database-backed sessions behavior to be more intelligent.

Upgrading from a pre-Rails 2.3 version

The configuration options have changed. If you’ve been using the defaults then no action is required. If you’ve been setting values, then you must make changes. See the Configuration section below on the new names for the settings.

Features

Configurable session expiry time (eg: 2 hours from last page access)
Optional hard limit regardless of last page access (eg: 24 hours)
Optional ability to tie session to an IP or /24 subnet
Optional auto-cleaning of expired sessions

Requirements

Rails 2.3+
A functional Rails app that uses the standard ActiveRecord::SessionStore session store (ActionController::Base.session_store = :active_record_store)
Ensure your sessions table has an `updated_at` column
If using hard session limits, a `created_at` column is needed too

Limitations

IP restrictions are not IPv6 enabled for subnets (although it should work for a full match)
IP restrictions may or may not be sufficient or even work if a proxy is involved on the client side

Installation

Simply add this plugin into your rails app and configure if required.

To add to your rails app:

./script/plugin install http://svn.iprog.com/projects/rails/plugins/limited_sessions

Configuration

There are several options that can be configured. They should be placed at the end of config/environment.rb (or the individual <environment>.rb files if that’s preferred).

ActiveRecord::SessionStore::Session.recent_activity_limit = 2.hours

This will expire sessions after the given period of time. This is managed on the server side and if the user closes their browser, the session will be gone. Default is 2 hours.

ActiveRecord::SessionStore::Session.hard_session_limit = 24.hours

Sessions can also be forcefully expired without regard to the last activity. So if this is set to 24 hours and the above is two hours, the session will be terminated if a) the user has been inactive for more than two hours OR b) it has been more than 24 hours since the session began. Default is disabled (nil). Requires a `created_at` column in the session table.

ActiveRecord::SessionStore::Session.auto_clean_sessions = 1000

Does a random test to see if the app should delete all expired sessions now. The odds are 1 in whatever value is provided here. 0 will disable this option. Default is 1000. A busy site may want 10000 or higher.

ActionController::Request.ip_restriction = :subnet

If set to :subnet, will compare the first three quads of the IPv4 address for a match. If set to :exact, will compare the full IP address (which should also work for IPv6). If no match, the session will be reset. Default is :none. Stores the IP match data in the session store as session[:ip].

Note on Rails versions

The above instructions are specific to the current version of limited_sessions, which is only compatible with Rails 2.3+. See the README for the Rails 2.2 and earlier compatible version as the configuration options are different.

(2009-apr-23) - version 2.3 - download

Rails 2.3 compatible version.

Note to upgraders: the configuration options have changed due to changes in Rails 2.3.

(2008-jul-23) - version 2 - download

Version compatible with Rails 2.1 and 2.2. Should work with earlier versions as well.

(2007-sep-06) - version 1 - download