Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Anonymous users in Rails -- security considerations?

I'm looking at implementing some form of anonymous user system in Rails. I need to let people do things (creating records, looking at what they've created, etc), without actually creating an account. Once they create an account, everything persists without risk of losing it by clearing cookies or something.

Right now, I'm thinking it's pretty straightforward. Have an is_anonymous field in the User model, and use something like this to access the currently logged in user:

def find_user
  session[:user_id] ||= create_new_anonymous_user.id
end

Assuming the session persists for some reasonable period of time, and the session cookie doesn't expire, that should keep everything running smoothly.

However, there is this piece of me that is convinced that I'm missing something security-related. Has anyone done something like this before? Am I missing something super-obvious?

Thanks!

like image 883
Tim Sullivan Avatar asked Jan 07 '09 18:01

Tim Sullivan


2 Answers

The only real security issue is going to be if these anonymous users can perform critical operations.

Your system means that anyone with the specific cookie will gain access to the site. Not necessarily a big deal, but it really depends on the type of information your users are providing.

I have done something similar in the past (in my case I was tracking progress through a site and when the user logged in or registered, I attached the "guest" data to their account. When you do the switch, make sure you delete the anonymous record to prevent further access and it should be fine.

like image 159
Toby Hede Avatar answered Nov 04 '22 07:11

Toby Hede


I just found a pretty cool example of "trial users" using Authlogic: http://github.com/gisikw/authlogic_trial

like image 2
Chap Avatar answered Nov 04 '22 06:11

Chap