iprog.com

new limited_sessions plugin for rails

it’s time to announce my second plugin for ruby on rails, limited_sessions.

it’s been publicly available for several days, so i guess it’s time that i actually talk about it.

this came out of a need to manage sessions more intelligently than rails does by default. all of these is built as an extension to ActiveRecordStore, so sessions must be stored in the db. features:

as usual, details are on the project page.

tags: plugins, sessions, limited_sessions, ruby, rails

by Faisal N. Jawdat

The second line of the about.yml needs to be quoted or things break:

summary: ‘limited_sessions: cause sessions to expire or limit them to originating ip’

by tm

thanks. i’ll get that fixed right away.

by Greg Willits

Sounds good, but is there a way to declare a method which is to be executed upon the expiration of a session? So, if someone tries to load a page with an expired session, it runs this specified method at that time.

by tm

not as presently written. the code current prevents the sql query from finding the session to begin with, so it doesn’t know if it’s expired vs. not having one to begin with.

this is, however, a good idea.

by Ryan

plugin is a great idea. am trying with rails 2.3.3 and mongrel but it didn’t remove old sessions. i configured it to:

ActiveRecord::SessionStore::Session.recent_activity_limit = 1.hour

in the environment.rb and then later tried it in the session_store.rb. not sure if i’m missing something.

by tm

You’ve probably checked these items, but just in case, here’s a list of things to verify. If you’ve verified all of these, let me know and we’ll see what else we can do to get it working.

  • You’re using the ActiveRecord session store and that’s enabled in environment.rb.
  • The sessions table in the database has an updated_at column.
  • You’ve restarted any server or mongrel process after installing the plugin.
  • Sessions are being properly created in the sessions table.

Are sessions expiring at the 2 hour default time period (vs the 1 hour you’re trying to set)? If not, sounds like you could still be using the cookie session store.

You could also check that the session cookie in your browser is just a simple hash (MD5, so 32 chars) and not the much longer encoded value that is normal when using the cookie session store.

Let me know what you find.

by Ryan

Thanks for the response. Tried it again last night and left the app running locally for 10 hours but the sessions did not get cleaned up.

I’m using active record store but it’s in config/initializers/session_store.rb (I believe that’s the standard way in 2.3.3) as
ActionController::Base.session_store = :active_record_store
The sessions table has the updated_at column.
The mongrel process was restarted after the plugin was installed.
Sessions are being properly created. The updated_at fields are 4 hours advanced of my timezone, e.g. a session is created at midnight but created_at contains 4am, however it’s currently 8am, so the two hour default should have executed but hasn’t yet.

Hope this helps.

by tm

I just created a brand new Rails 2.3.3 app using SQLite. I ran the session_migration and enabled :active_record_store via initializers/session_store.rb.

I installed the limited_sessions plugin straight from the public subversion repository; it is the only plugin installed in my test app.

I also added the limited session configuration at the bottom of initializers/session_store.rb as ActiveRecord::SessionStore::Session.recent_activity_limit = 1.minute.

I created a very simple controller that created a session variable session[:counter] and increments it each page load.

Everything seems to be working properly. Page reloads correctly increment the counter and if I don’t load for more than 60 seconds, the session starts over.

Running ActiveRecord::SessionStore::Session.recent_activity_limit in the console shows “60 seconds”.

Running ActiveRecord::SessionStore::Session.find :all via the console also does what I expect. For reloads within the session window, the updated_at field is updated along with the data field (since I’m incrementing session[:counter] each time).

If I wait until the session times out, I get a new row in the sessions table.

I wonder if there’s some kind of interaction with another plugin you have installed or something else weird like that.

I’d be happy to email you a full copy of my working test app if it’d be helpful.

by Ryan

thanks for looking into it. i read the plugin code and there’s a line in find_by_session_id preventing cleanup from occuring:

if rand(@@auto_clean_sessions) == 0

surely once i had more traffic this will execute. i think i’m all set. thanks again for taking the time to check into it.