session_lifetime plugin October 30th, 2008

One of the things I take for granted on the internet is session expiry. I’m used to the fact that if I’m not active for a certain amount of time, I automatically get logged out. This happens with my Online Banking, with ordering tickets online, …. Most information-critical applications have this.

Because of that, I was surprised that Rails doesn’t have this functionality on board. There is no way to set an expiry date on your session. I googled a bit and stumbled upon the dynamic session exp plugin. This gives you the possibility to expire your session through the cookie’s expires-flag.

An example

# in environment.rb
CGI::Session.expire_after 1.day

This plugin worked fine until I wanted to send a message to the webuser, informing him why this happened. Because we’re working with the expire-setting in a cookie, this isn’t possible. Because of that, I wrote my own plugin that gave me that possibility.

With session_lifetime you can set after how much time of inactivity your session should expire, you can execute an action when the session expires, and you can set where to redirect_to after session expiry.

An example

class ApplicationController << ActionController::Base
  expires_session :time => 2.hours, :redirect_to => '/login'

  protected
  def on_expiry
    flash[:notice] = "Your session has been expired, and you have been logged out."
  end
end

More information can be found on github.

Missing something?

I wrote this plugin to solve the problems I had with default Rails session handling. If you have an additional need which you think would be great for this plugin, give me a shout at sessionlifetime@defv.be, or through GitHub, and I’ll be more then happy to implement your proposal.

tags: , , l

5 Responses to “session_lifetime plugin”

  • over 3 years ago Hongli said

    Good, you check for the session timestamp on the server, as oppose to setting a cookie expiry time. :)

    Client-side cookie expiry is very unreliable because there are so many computers out there that have their clock incorrectly configured. A few years ago I wrote a client app which connects to my web server via HTTPS. I can’t count the number of times that a user asked me why he gets an “SSL certificate expired” error message. Turns out his clock was set to 2015 or some other future time, while it was 2006.

  • over 3 years ago Dave said

    Great plugin! We’ve been looking for something like this… Is there a way to do something like Bank of America where the user gets a 30 second countdown warning where they can extend the session if they want, or it will automatically log them out and redirect the page?

  • over 3 years ago Dave said

    Actually, I just tried to implement this and ran into a slight problem. I tried to expire the session after 1.minute. I logged into my application, and everything was fine. After one minute, nothing happened, but, when I tried to click on a link in my app, it redirected me to my login screen. Do you know why my page is not automatically redirecting for the user?

  • over 3 years ago Douglas said

    There is also a similar plugin here:

    http://svn.intridea.com/svn/public/session_expiration/

  • about 1 year ago jiemei said

    Great ! thanks for sharing..

    http://svn.intridea.com/svn/public/session_expiration/

Sorry, comments are closed for this article.