Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What happens to Rails session after :expire_after time is up?

Tags:

session

ruby-on-rails-4

Does the session become nil? Does the change take effect only on the next request?

I think I just asked three questions now...

like image 504
sargas Avatar asked May 01 '14 20:05

sargas

People also ask

What happens if a session is not timed out in rails?

If the session for that web application has not timed out, an attacker may execute unauthorized commands. In the session chapter you have learned that most Rails applications use cookie-based sessions. Either they store the session ID in the cookie and have a server-side session hash, or the entire session hash is on the client-side.

How to store user-specific state in rails?

This kind of user-specific state can be stored in the session. Rails provides a session object for each user that accesses the application. If the user already has an active session, Rails uses the existing session. Otherwise a new session is created. Read more about sessions and how to use them in Action Controller Overview Guide.

What is the difference between session and Cookie in rails?

By default, in Rails, there isn’t much of a difference. Rails does some work with the cookie to make it more secure. But besides that, it works the way you’d expect. Your Rails app puts some data into the cookie, the same data comes out of the cookie. If this was all there was, there’d be no reason to distinguish sessions from cookies.

What are sessions in Ruby on rails?

Rails provides a session object for each user that accesses the application. If the user already has an active session, Rails uses the existing session. Otherwise a new session is created. Read more about sessions and how to use them in Action Controller Overview Guide.

1 Answers

You can try to explore by using the similar settings:

AppName::Application.config.session_store :cookie_store, key: '_session_key', expire_after: 20.seconds

Then open up dev tools in your browser and go to cookies and select localhost cookies to see what happens.

I found out that:

  1. Session cookie gets deleted after the expiration time

  2. Expiration time for a cookie gets updated automatically (re-set) upon any request (even background ajax request counts)

  3. The effect by default will take place upon the next request (refreshing the page for example) and if you use typical authentication (has_secure_password_ for example) user should be logged out

I found the last comment on the ActionController::Base documentation page really helpful on this topic

like image 167
Nimir Avatar answered Sep 19 '22 11:09

Nimir
Sign in to Comment

Related questions

is session cookie secure enough to store userid?
Session Start and Action Filter for Session Timeout handling
Preventing session fixation by ensuring the only source of creating a session should be a secure random generator
Why does Java class library still use String constants in place of enum
How can I set session never expire in django
CORS requests with session/cookie
Generating signed session cookie value used in Flask
How do I use Session_Start in ASP.NET MVC?
R Server - Resuming R Session - message hanging or taking 15+min
How to make session last maximum of 30 days using client-sessions duration and activeDuration
delete session files after a time from creation
ASP.NET MVC: ensure user always has a session variable set
Approaches for memcached sessions
In grails, how do I get a reference to all current sessions?
PHP - make session expire after X minutes
Session in classic ASP
Does the SessionState attribute in MVC 3 work properly?
Is this possible to clear the session whenever browser closed in asp.net?
How to clear cookies for old SESSION_COOKIE_DOMAIN in Django
How to handle the user logout in browser multiple tab?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!