Rails 2.3 made a lot of changes in how requests are handled. Most (all?) of this has to do with its new support for Rack. Anyway, all of these changes left Rails 2.3 incompatible with the last version of the Limited Sessions plugin.
So, here’s a shiny new version of Limited Sessions to go with your shiny new version of Rails.
Apparently Rails 2.1 has the nifty ability to throw a 500 Internal Server Error with the message “IP spoofing attack?!” under certain circumstances.
Unfortunately, those circumstances include a common Apache/Mongrel deployment and Yahoo’s crawler, Slurp, trying to index your site. It’s possible Apache/Mongrel isn’t required; I’m unsure.
The key is that Slurp includes both a Client-IP header (HTTP_CLIENT_IP by the time it hits Rails) and an X-Forwarded-For header (HTTP_X_FORWARDED_FOR). When both are present, Rails assumes something evil is happening and voluntarily dies. Neat.
Such a header can be relied on only if it was set by a trusted proxy. Otherwise, it’s hard to know if it was spoofed. The difficulty is for Rails to know which one, if any, was set by a trusted proxy.
I deploy Rails in a common Apache w/mod_proxy_balancer and Mongrel setup. Apache uses X-Forwarded-For natively, so that’s the one I want to trust. To make Rails happy, I’ve just told Apache to delete the Client-IP header if present.
Adding RequestHeader unset Client-IP to the virtual host configuration seems to do the trick.
This does require mod_headers to be enabled in Apache.
I updated my limited_sessions plugin to improve support for Rails 2.1. It should maintain backwards compatibility.
The change surrounds Rails 2.1’s new partial updates support. Basically, it’s turned off for sessions so the session is kept current and doesn’t expire if the user is active.
the active_scaffold plugin for rails can be useful at times. as is typical of a large library, when it doesn’t do quite what you want, you have to start overriding parts of it.
unfortunately, there aren’t a lot of documented options to doing this with active_scaffold—at least not in the published docs. the code comments discuss more available options. so, what follows is an attempt to document some of those options.
it’s time to announce my second plugin for ruby on rails, limited_sessions.
it’s been publicly available for several days, so i guess it’s time that i actually talk about it.
this came out of a need to manage sessions more intelligently than rails does by default. all of these is built as an extension to ActiveRecordStore, so sessions must be stored in the db. features:
configurable, server-enforced session expiry time (eg: 2 hours from last access)
optional hard limit on session from login time, regardless of access (eg: 8 hours from login)
ability to tie session to user’s IP or /24 subnet
auto-cleaning of expired sessions from db without an external script or other helper