Limited Sessions
Copyright 2007 t.e.morgan. License: MIT
Updates/info: http://iprog.com/project/limited_sessions Contact: tm@iprog.com
A plugin to modify the standard database-backed sessions behavior to be more intelligent.
Features: * Configurable session expiry time (eg: 2 hours from last page access) * Optional hard limit regardless of last page access (eg: 24 hours) * Optional ability to tie session to an IP or /24 subnet * Optional auto-cleaning of expired sessions
Requirements: * A functional Rails app that uses the standard ActiveRecordStore session store (config.action_controller.session_store = :active_record_store) * Ensure your sessions table has an `updated_at` column * If using hard session limits, a `created_at` column
Limitations: * IP restrictions are not IPv6 enabled for subnets (although it should work for a full match) * IP restrictions may or may not be sufficient or even work if a proxy is involved on the client side
Installation: Simply add this plugin into your rails app and configure if required.
To add to your rails app:
./script/plugin install -x http://svn.iprog.com/projects/rails/plugins/limited_sessions
(drop the -x if you don't use subversion in your project or don't want to
manage plugins via svn:externals)Configuration: There are several options that can be configured. They should be placed at the end of config/environment.rb (or the individual environment.rb files if that’s preferred).
CGI::Session::ActiveRecordStore::Session.recent_activity_limit = 2.hours
This will expire sessions after the given period of time. This is managed
on the server side and if the user closes their browser, the session will
be gone. Default is 2 hours.CGI::Session::ActiveRecordStore::Session.hard_session_limit = 24.hours
Sessions can also be forcefully expired without regard to the last
activity. So if this is set to 24 hours and the above is two hours, the
session will be terminated if a) the user has been inactive for more than
two hours OR b) it has been more than 24 hours since the session began.
Default is disabled (nil). Requires a `created_at` column in the session
table.CGI::Session::ActiveRecordStore::Session.auto_clean_sessions = 1000
Does a random test to see if the app should delete all expired sessions
now. The odds are 1 in whatever value is provided here. 0 will disable
this option. Default is 1000. A busy site may want 10000 or higher.ActionController::CgiRequest.ip_restriction = :subnet
If set to :subnet, will compare the first three quads of the IPv4 address
for a match. If set to :exact, will compare the full IP address (which
should also work for IPv6). If no match, the session will be reset.
Default is :none. Stores the IP match data in the session store as
session[:ip].Other Notes: This is not compatible with an old `sessid` column; it only works with `session_id`.
I'm sure there are better ways to do some of what's here, but this seems to
work. It has been tested with Rails 1.2.3 and PostgreSQL 8.1. If you find
a bug, have a suggestion, or just want to tell me that it works, I'd love to
hear from you. Thanks for checking limited_sessions out! --t (tm@iprog.com; http://iprog.com/)NOTE: This description has been extracted from the Plugin README and so the formatting may need updating to make browser friendly
Edit
Report
