limited_sessions 3.0.0

data/CHANGELOG

@@ -0,0 +1,41 @@
+* 2012-jun-25 - Rails 3 and generic Rack compatibility; much simplified
+
+  - LimitedSessions has been broken up into two parts:
+    - Rack-compatible middleware that handles session time limits. This
+      *should* work for all session stores. Just requires Rack, not 
+      necessarily Rails.
+    - Rails 3 specific enhancement to the ActiveRecord Session Store
+      that also cleans up stale session records.
+  - Rails 3.2 (maybe 3.0 and 3.1; untested) compatibility. No longer
+    compatible with Rails 2--use previous versions.
+  - All IP matching and restrictions have been removed. In short, dual-
+    stack environments (IPv4+IPv6) have a tendency to bounce between v4
+    and v6 at times. This causes sessions to be aborted regularly.
+
+* 2010-jul-20 - IPv6, replay attack mitigation, more non-AR support
+
+  - IPv6 now works for subnet matching.
+  - New options to configure the allowed subnet size (both IPv4 and 
+    IPv6) added.
+  - Plugin now enhances reset_session to clear old session data from
+    the DB; this prevents session_id replay attacks when using 
+    DB-backed session storage.
+  - Session activity and hard limits now work with non-ActiveRecord
+    session stores. Configuration is done differently depending on 
+    which session store is in use.
+
+* 2009-apr-22 - update to support rails 2.3
+
+  - Rails 2.3 changed the internal session code substantially. This new
+    version now supports rails 2.3. Note that is no longer supports any
+    version of rails prior to 2.3 -- see the README for where to find
+    an older version of this plugin for rails 2.2 and earlier. 
+  - CONFIGURATION OPTIONS HAVE CHANGED. This is required by the new
+    support for rails 2.3. See the README for more information.
+
+* 2008-jul-23 - update to improve rails 2.1 compatibility 
+  
+  - disable partial-updates for the session table
+    (thanks to eilonon erkki for bringing the problem to my attention)
+  
+* 2007-sep-06 - initial release

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2007-2012 t.e.morgan
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README

@@ -0,0 +1,201 @@
+LimitedSessions
+===============
+Copyright 2007-2012 t.e.morgan.
+License: MIT
+
+Updates/info: http://iprog.com/projects#limited_sessions
+Source: https://github.com/zarqman/limited_sessions
+Contact: tm@iprog.com
+
+
+LimitedSessions provides two distinct features, each in a separate part:
+  * Rack-compatible middleware that expires sessions based on inactivity or
+    maximum session length. This works with Rails 3 just fine.
+  * Rails 3 extension to the ActiveRecord Session Store to auto-cleanup stale
+    session records.
+
+
+Notes on Rails and Rack versions:
+  The middleware should be compatible with any framework using a recent
+  version of Rack. It was tested with Rack 1.4 and Rails 3.2.
+  
+  The ActiveRecord Session Store extension requires Rails 3 (and was also
+  tested with Rails 3.2).
+  
+  Versions compatible with Rails 2.3 and Rails 2.2/prior can be found at:
+  https://github.com/zarqman/limited_sessions/tree/v2.3 and
+  https://github.com/zarqman/limited_sessions/tree/v2.2
+
+
+Upgrading from previous versions:
+  Both initialization and configuration options have changed. See the
+  Configuration section below. 
+  
+  Note that all support for IP address restrictions has been removed. IPv4/IPv6
+  dual-stack environments have demonstrated a number of real-world issues, 
+  namely user HTTP traffic bouncing between IPv4 and IPv6 resulting in chronic
+  session resets. Additionally, homes and offices increasingly have two or more
+  ISPs, not to mention mobile devices bouncing between WiFi and 3G/4G networks.
+  These scenarios also cause frequent IP address changes.
+
+
+Features:
+  * For all session stores:
+    * Configurable session expiry time (eg: 2 hours from last page access)
+    * Optional hard maximum limit from beginning of session (eg: 24 hours)
+  * When using the ActiveRecord Session Store:
+    * DB-based handling of session expiry (activity and hard limits) instead of
+      by session paramters
+    * Auto-cleaning of expired session records
+
+  
+Requirements:
+  * Rack and possibly Rails 3
+  * Utilizing Rack's (or Rails') sessions support
+  * For ActiveRecord session enhancements:
+    * Must be using the standard ActiveRecord::SessionStore
+      (ActionController::Base.session_store = :active_record_store)
+    * Ensure your sessions table has an `updated_at` column
+    * If using hard session limits, a `created_at` column is needed too
+
+
+Installation:
+  Add this gem to your Gemfile (Rails) or otherwise make it available to your
+  app. Then, configure as required.
+
+  gem 'limited_sessions'
+
+
+Configuration:
+  Rack Middleware with Rails
+    1. To either your config/environments/production.rb or your 
+       config/application.rb file (depending on if you want this to apply in
+       production only or also during development), add the following:
+
+       config.middleware.insert_after ActionDispatch::Flash, LimitedSessions::Expiry, \
+         :recent_activity=>2.hours, :max_session=>24.hours
+
+    2. Configuration options.
+       The example above shows both configuration options. You may include
+       both, one, or none.
+
+       * Session activity timeout *
+       Example: :recent_activity => 2.hours
+       By default, the session activity timeout is disabled (nil).
+
+       * Maximum session length *
+       Example: :max_session => 24.hours
+       By default, the maximum session length is disabled (nil).
+
+
+  Rack Middleware apart from Rails
+    1. In your config.ru, add the following *after* the middleware that handles
+       your sessions.
+
+       use LimitedSessions::Expiry, :recent_activity=>2.hours, :max_session=>24.hours
+
+    2. See #2 above, under Rack Middleware with Rails, for Configuration options.       
+
+
+  ActionRecord Session Store
+    1. If you don't already have an 'updated_at' column on your sessions table,
+       create a migration and add it. If you plan to use the hard session limit
+       feature, you'll also need to add 'created_at'.
+
+    2. Tell Rails to use your the new session store. Change 
+       config/initializers/session_store.rb to reflect the following:
+
+       <YourApp>::Application.config.session_store :active_record_store
+       ActiveRecord::SessionStore.session_class = LimitedSessions::SelfCleaningSession
+
+    3. Configuration options.
+       Each of the following options should also be added to your initializer
+       file from step 2.
+
+
+       * Self-cleaning *
+       By default, SelfCleaningSession will clean sessions out about every 1000
+       page views. Technically, it's a 1 in 1000 chance on each page. For most
+       sites this is good. Higher traffic sites may want to increase it to 
+       10000 or more. 0 will disable self-cleaning.
+
+       LimitedSessions::SelfCleaningSession.self_clean_sessions = 1000
+
+
+       * Session activity timeout *
+       The default session activity timeout is 2 hours. This uses the 
+       'updated_at' column which will be updated on every page load. 
+
+       This can also be disabled by setting to nil. However, the 'updated_at'
+       column is still required for self-cleaning and will effectively function
+       as if this was set to 1.week. If you really want it longer, set it to
+       1.year or something.
+
+       LimitedSessions::SelfCleaningSession.recent_activity = 2.hours
+
+
+       * Maximum session length *
+       By default, the maximum session length handling is disabled. When
+       enabled, it uses the 'created_at' column to do its work. 
+       
+       A value of nil disables this feature and 'created_at' does not need to
+       exist in this case.
+
+       LimitedSessions::SelfCleaningSession.max_session = 12.hours
+
+
+Other questions:
+  Do I need both the middleware and the ActiveRecord Session Store?
+    No. While it should work, it is not necessary to use both the middleware
+    and the ActiveRecord Session Store. If you are storing sessions via AR,
+    then use the ActiveRecord Session Store. If you are storing sessions any
+    other way, then use the middleware.
+
+  I'm storing sessions in {Memcache, Redis, etc.} and they auto-expire 
+  sessions. Do I need this?
+    Maybe, maybe not. Normally, that auto-expire period is equivalent to
+    LimitedSessions' :recent_activity. If that's all you want, then you don't
+    need this. However, if you'd also like to put a maximum cap on session
+    length, regardless of activity, then LimitedSessions' :max_session feature
+    will still be useful.
+
+  Can I use the middleware with ActiveRecord instead of the ActionRecord
+  Session Store enhancement?
+    Yes; session expiry (recent activity and max session length) should work
+    fine in this circumstance. The only thing you won't get is self-cleaning of
+    the AR sessions table.
+
+  How are session expiry times tracked?
+    The middleware adds one or two keys to the session data: :last_visit and/or
+    :first_visit.
+    The AR enhancement uses 'updated_at' and possibly 'created_at'.
+
+  How is this different from using the session cookie's own expires= value?
+    The cookie's own value puts the trust in the client to self-expire. If you
+    really want to control session lengths, then you need to manage the values
+    on the application side. LimitedSessions is fully compatible with the
+    cookie's expires= value, however, and the two can be used together.
+
+  What's the difference between :recent_activity and :max_session?
+    Recent activity requires regular access on your site. If it's set to 15
+    minutes, then a page must be loaded at least once every 15 minutes.
+    
+    Max session is a cap on the session from the very beginning. If it's set to
+    12 hours, then even if a user is accessing the page constantly, and not
+    triggering the recent activity timeout, after 12 hours their session would
+    be reset anyway.
+
+  Is the AR enhancement compatible with the legacy 'sessid' column?
+    No. Please rename that column to 'session_id'.
+
+
+Other Notes:
+  I'm sure there are better ways to do some of what's here, but this seems to
+  work. This version has been tested on Rack 1.4, Rails 3.2, PostgreSQL 9.1,
+  and Redis 2.2 (via the redis and redis-session-store gems). Other databases
+  and session stores should work, but if you find a bug, I'd love to hear about
+  it. Likewise, give me a shout if you have a suggestion or just want to tell
+  me that it works. Thanks for checking limited_sessions out!
+  
+      --t (tm@iprog.com; http://iprog.com/)
+

data/Rakefile

@@ -0,0 +1,39 @@
+#!/usr/bin/env rake
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+begin
+  require 'rdoc/task'
+rescue LoadError
+  require 'rdoc/rdoc'
+  require 'rake/rdoctask'
+  RDoc::Task = Rake::RDocTask
+end
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'LimitedSessions'
+  rdoc.options << '--line-numbers'
+  # rdoc.rdoc_files.include('README.rdoc')
+  rdoc.rdoc_files.include('README')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+
+
+
+Bundler::GemHelper.install_tasks
+
+require 'rake/testtask'
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = false
+end
+
+
+task :default => :test

data/lib/limited_sessions.rb

@@ -0,0 +1,11 @@
+# LimitedSessions
+# (c) 2007-2012 t.e.morgan
+# Made available under the MIT license
+
+module LimitedSessions
+end
+
+require 'limited_sessions/expiry'
+if defined? ActiveRecord
+  require 'limited_sessions/self_cleaning_session'
+end

data/lib/limited_sessions/expiry.rb

@@ -0,0 +1,56 @@
+# LimitedSessions
+# (c) 2007-2012 t.e.morgan
+# Made available under the MIT license
+
+# This version is compatible with Rack 1.4 (possibly earlier; untested).
+# Correspondingly, it is compatible with Rails 3.x.
+
+module LimitedSessions
+  # Rack middleware that should be installed *after* the session handling middleware
+  class Expiry
+    DEFAULT_OPTIONS = {
+      :recent_activity => nil,  # eg: 2.hours
+      :max_session => nil       # eg: 24.hours
+    }
+
+    def initialize(app, options={})
+      @app = app
+      @options = DEFAULT_OPTIONS.merge(options)
+    end
+
+    def call(env)
+      @env = env
+      if @options[:recent_activity]
+        if session[:last_visit] && (session[:last_visit] + @options[:recent_activity]) < Time.now.to_i
+          logger.info "Session expired: no recent activity"
+          clear_session
+        end
+        if @options[:recent_activity] > 600
+          # Rounds to the nearest 5 minutes to minimize writes when a DB is in use
+          session[:last_visit] = (Time.now.to_f/300).ceil*300
+        else
+          session[:last_visit] = (Time.now.to_f/10).ceil*10
+        end
+      end
+      if @options[:max_session]
+        session[:first_visit] ||= Time.now.to_i
+        if (session[:first_visit] + @options[:max_session]) < Time.now.to_i
+          logger.info "Session expired: max session length reached"
+          clear_session
+          session[:first_visit] ||= Time.now.to_i
+        end
+      end
+      @app.call(env)
+    end
+
+    def session
+      @env['rack.session'] || {}
+    end
+    def clear_session
+      @env['rack.session'].clear
+    end
+    def logger
+      (Rails.logger rescue nil) || @env['rack.logger']
+    end
+  end
+end

data/lib/limited_sessions/self_cleaning_session.rb

@@ -0,0 +1,54 @@
+# LimitedSessions
+# (c) 2007-2012 t.e.morgan
+# Made available under the MIT license
+
+# This is the Rails 3.x version; it is /not/ compatible with Rails 2.x.
+
+module LimitedSessions
+  class SelfCleaningSession < ActiveRecord::SessionStore::Session
+
+    # disable short circuit by Dirty module; ensures :updated_at is kept updated
+    self.partial_updates = false
+
+    self.table_name = 'sessions'
+
+    cattr_accessor :recent_activity, :max_session, :self_clean_sessions
+    self.recent_activity      = 2.hours # eg: 2.hours ; nil disables
+    self.max_session          = nil     # eg: 24.hours ; nil disables
+    self.self_clean_sessions  = 1000    # 0 disables
+
+    scope :active_session, lambda {
+      recent_activity ? where("updated_at > ?", Time.current - recent_activity) : []
+    }
+    scope :current_session, lambda {
+      max_session ? where("created_at > ?", Time.current - max_session) : []
+    }
+
+    class << self
+      # This disables compatibility with 'sessid'. The key column *must* be session_id.
+      # If this is a problem, use a migration and rename the column.
+      def find_by_session_id(session_id)
+        consider_self_clean
+        active_session.current_session.where(:session_id=>session_id).first
+      end
+
+      private
+      def consider_self_clean
+        return if self_clean_sessions == 0
+        if rand(self_clean_sessions) == 0
+          # logger.info "SelfCleaningSession :: scrubbing expired sessions"
+          look_back_recent = recent_activity || 1.week
+          if max_session
+            delete_all ['updated_at < ? OR created_at < ?', Time.current - look_back_recent, Time.current - max_session]
+          elsif columns_hash['updated_at']
+            delete_all ['updated_at < ?', Time.current - look_back_recent]
+          else
+            # logger.warning "WARNING: Unable to self-clean Sessions table; updated_at column is missing"
+            self.self_clean_sessions = 0
+          end
+        end
+      end
+    end
+
+  end
+end

data/lib/limited_sessions/version.rb

@@ -0,0 +1,3 @@
+module LimitedSessions
+  VERSION = "3.0.0"
+end

data/lib/tasks/limited_sessions_tasks.rake

@@ -0,0 +1,4 @@
+# desc "Explaining what the task does"
+# task :limited_sessions do
+#   # Task goes here
+# end

data/test/dummy/README.rdoc

@@ -0,0 +1,261 @@
+== Welcome to Rails
+
+Rails is a web-application framework that includes everything needed to create
+database-backed web applications according to the Model-View-Control pattern.
+
+This pattern splits the view (also called the presentation) into "dumb"
+templates that are primarily responsible for inserting pre-built data in between
+HTML tags. The model contains the "smart" domain objects (such as Account,
+Product, Person, Post) that holds all the business logic and knows how to
+persist themselves to a database. The controller handles the incoming requests
+(such as Save New Account, Update Product, Show Post) by manipulating the model
+and directing data to the view.
+
+In Rails, the model is handled by what's called an object-relational mapping
+layer entitled Active Record. This layer allows you to present the data from
+database rows as objects and embellish these data objects with business logic
+methods. You can read more about Active Record in
+link:files/vendor/rails/activerecord/README.html.
+
+The controller and view are handled by the Action Pack, which handles both
+layers by its two parts: Action View and Action Controller. These two layers
+are bundled in a single package due to their heavy interdependence. This is
+unlike the relationship between the Active Record and Action Pack that is much
+more separate. Each of these packages can be used independently outside of
+Rails. You can read more about Action Pack in
+link:files/vendor/rails/actionpack/README.html.
+
+
+== Getting Started
+
+1. At the command prompt, create a new Rails application:
+       <tt>rails new myapp</tt> (where <tt>myapp</tt> is the application name)
+
+2. Change directory to <tt>myapp</tt> and start the web server:
+       <tt>cd myapp; rails server</tt> (run with --help for options)
+
+3. Go to http://localhost:3000/ and you'll see:
+       "Welcome aboard: You're riding Ruby on Rails!"
+
+4. Follow the guidelines to start developing your application. You can find
+the following resources handy:
+
+* The Getting Started Guide: http://guides.rubyonrails.org/getting_started.html
+* Ruby on Rails Tutorial Book: http://www.railstutorial.org/
+
+
+== Debugging Rails
+
+Sometimes your application goes wrong. Fortunately there are a lot of tools that
+will help you debug it and get it back on the rails.
+
+First area to check is the application log files. Have "tail -f" commands
+running on the server.log and development.log. Rails will automatically display
+debugging and runtime information to these files. Debugging info will also be
+shown in the browser on requests from 127.0.0.1.
+
+You can also log your own messages directly into the log file from your code
+using the Ruby logger class from inside your controllers. Example:
+
+  class WeblogController < ActionController::Base
+    def destroy
+      @weblog = Weblog.find(params[:id])
+      @weblog.destroy
+      logger.info("#{Time.now} Destroyed Weblog ID ##{@weblog.id}!")
+    end
+  end
+
+The result will be a message in your log file along the lines of:
+
+  Mon Oct 08 14:22:29 +1000 2007 Destroyed Weblog ID #1!
+
+More information on how to use the logger is at http://www.ruby-doc.org/core/
+
+Also, Ruby documentation can be found at http://www.ruby-lang.org/. There are
+several books available online as well:
+
+* Programming Ruby: http://www.ruby-doc.org/docs/ProgrammingRuby/ (Pickaxe)
+* Learn to Program: http://pine.fm/LearnToProgram/ (a beginners guide)
+
+These two books will bring you up to speed on the Ruby language and also on
+programming in general.
+
+
+== Debugger
+
+Debugger support is available through the debugger command when you start your
+Mongrel or WEBrick server with --debugger. This means that you can break out of
+execution at any point in the code, investigate and change the model, and then,
+resume execution! You need to install ruby-debug to run the server in debugging
+mode. With gems, use <tt>sudo gem install ruby-debug</tt>. Example:
+
+  class WeblogController < ActionController::Base
+    def index
+      @posts = Post.all
+      debugger
+    end
+  end
+
+So the controller will accept the action, run the first line, then present you
+with a IRB prompt in the server window. Here you can do things like:
+
+  >> @posts.inspect
+  => "[#<Post:0x14a6be8
+          @attributes={"title"=>nil, "body"=>nil, "id"=>"1"}>,
+       #<Post:0x14a6620
+          @attributes={"title"=>"Rails", "body"=>"Only ten..", "id"=>"2"}>]"
+  >> @posts.first.title = "hello from a debugger"
+  => "hello from a debugger"
+
+...and even better, you can examine how your runtime objects actually work:
+
+  >> f = @posts.first
+  => #<Post:0x13630c4 @attributes={"title"=>nil, "body"=>nil, "id"=>"1"}>
+  >> f.
+  Display all 152 possibilities? (y or n)
+
+Finally, when you're ready to resume execution, you can enter "cont".
+
+
+== Console
+
+The console is a Ruby shell, which allows you to interact with your
+application's domain model. Here you'll have all parts of the application
+configured, just like it is when the application is running. You can inspect
+domain models, change values, and save to the database. Starting the script
+without arguments will launch it in the development environment.
+
+To start the console, run <tt>rails console</tt> from the application
+directory.
+
+Options:
+
+* Passing the <tt>-s, --sandbox</tt> argument will rollback any modifications
+  made to the database.
+* Passing an environment name as an argument will load the corresponding
+  environment. Example: <tt>rails console production</tt>.
+
+To reload your controllers and models after launching the console run
+<tt>reload!</tt>
+
+More information about irb can be found at:
+link:http://www.rubycentral.org/pickaxe/irb.html
+
+
+== dbconsole
+
+You can go to the command line of your database directly through <tt>rails
+dbconsole</tt>. You would be connected to the database with the credentials
+defined in database.yml. Starting the script without arguments will connect you
+to the development database. Passing an argument will connect you to a different
+database, like <tt>rails dbconsole production</tt>. Currently works for MySQL,
+PostgreSQL and SQLite 3.
+
+== Description of Contents
+
+The default directory structure of a generated Ruby on Rails application:
+
+  |-- app
+  |   |-- assets
+  |       |-- images
+  |       |-- javascripts
+  |       `-- stylesheets
+  |   |-- controllers
+  |   |-- helpers
+  |   |-- mailers
+  |   |-- models
+  |   `-- views
+  |       `-- layouts
+  |-- config
+  |   |-- environments
+  |   |-- initializers
+  |   `-- locales
+  |-- db
+  |-- doc
+  |-- lib
+  |   `-- tasks
+  |-- log
+  |-- public
+  |-- script
+  |-- test
+  |   |-- fixtures
+  |   |-- functional
+  |   |-- integration
+  |   |-- performance
+  |   `-- unit
+  |-- tmp
+  |   |-- cache
+  |   |-- pids
+  |   |-- sessions
+  |   `-- sockets
+  `-- vendor
+      |-- assets
+          `-- stylesheets
+      `-- plugins
+
+app
+  Holds all the code that's specific to this particular application.
+
+app/assets
+  Contains subdirectories for images, stylesheets, and JavaScript files.
+
+app/controllers
+  Holds controllers that should be named like weblogs_controller.rb for
+  automated URL mapping. All controllers should descend from
+  ApplicationController which itself descends from ActionController::Base.
+
+app/models
+  Holds models that should be named like post.rb. Models descend from
+  ActiveRecord::Base by default.
+
+app/views
+  Holds the template files for the view that should be named like
+  weblogs/index.html.erb for the WeblogsController#index action. All views use
+  eRuby syntax by default.
+
+app/views/layouts
+  Holds the template files for layouts to be used with views. This models the
+  common header/footer method of wrapping views. In your views, define a layout
+  using the <tt>layout :default</tt> and create a file named default.html.erb.
+  Inside default.html.erb, call <% yield %> to render the view using this
+  layout.
+
+app/helpers
+  Holds view helpers that should be named like weblogs_helper.rb. These are
+  generated for you automatically when using generators for controllers.
+  Helpers can be used to wrap functionality for your views into methods.
+
+config
+  Configuration files for the Rails environment, the routing map, the database,
+  and other dependencies.
+
+db
+  Contains the database schema in schema.rb. db/migrate contains all the
+  sequence of Migrations for your schema.
+
+doc
+  This directory is where your application documentation will be stored when
+  generated using <tt>rake doc:app</tt>
+
+lib
+  Application specific libraries. Basically, any kind of custom code that
+  doesn't belong under controllers, models, or helpers. This directory is in
+  the load path.
+
+public
+  The directory available for the web server. Also contains the dispatchers and the
+  default HTML files. This should be set as the DOCUMENT_ROOT of your web
+  server.
+
+script
+  Helper scripts for automation and generation.
+
+test
+  Unit and functional tests along with fixtures. When using the rails generate
+  command, template test files will be generated for you and placed in this
+  directory.
+
+vendor
+  External libraries that the application depends on. Also includes the plugins
+  subdirectory. If the app has frozen rails, those gems also go here, under
+  vendor/rails/. This directory is in the load path.