session_lifetime plugin October 30th, 2008
One of the things I take for granted on the internet is session expiry. I’m used to the fact that if I’m not active for a certain amount of time, I automatically get logged out. This happens with my Online Banking, with ordering tickets online, …. Most information-critical applications have this.
Because of that, I was surprised that Rails doesn’t have this functionality on board. There is no way to set an expiry date on your session. I googled a bit and stumbled upon the dynamic session exp plugin. This gives you the possibility to expire your session through the cookie’s expires-flag.
An example
# in environment.rb CGI::Session.expire_after 1.day
This plugin worked fine until I wanted to send a message to the webuser, informing him why this happened. Because we’re working with the expire-setting in a cookie, this isn’t possible. Because of that, I wrote my own plugin that gave me that possibility.
With session_lifetime you can set after how much time of inactivity your session should expire, you can execute an action when the session expires, and you can set where to redirect_to after session expiry.
An example
class ApplicationController << ActionController::Base expires_session :time => 2.hours, :redirect_to => '/login' protected def on_expiry flash[:notice] = "Your session has been expired, and you have been logged out." end end
More information can be found on github.
Missing something?
I wrote this plugin to solve the problems I had with default Rails session handling. If you have an additional need which you think would be great for this plugin, give me a shout at sessionlifetime@defv.be, or through GitHub, and I’ll be more then happy to implement your proposal.
l
Good, you check for the session timestamp on the server, as oppose to setting a cookie expiry time. :)
Client-side cookie expiry is very unreliable because there are so many computers out there that have their clock incorrectly configured. A few years ago I wrote a client app which connects to my web server via HTTPS. I can’t count the number of times that a user asked me why he gets an “SSL certificate expired” error message. Turns out his clock was set to 2015 or some other future time, while it was 2006.
Great plugin! We’ve been looking for something like this… Is there a way to do something like Bank of America where the user gets a 30 second countdown warning where they can extend the session if they want, or it will automatically log them out and redirect the page?
Actually, I just tried to implement this and ran into a slight problem. I tried to expire the session after 1.minute. I logged into my application, and everything was fine. After one minute, nothing happened, but, when I tried to click on a link in my app, it redirected me to my login screen. Do you know why my page is not automatically redirecting for the user?
There is also a similar plugin here:
http://svn.intridea.com/svn/public/session_expiration/