limited_sessions 3.0.2 → 4.0.0

Sign up to get free protection for your applications and to get access to all the features.
data/CHANGELOG CHANGED
@@ -1,3 +1,13 @@
1
+ * 2013-jun-15 - Support for Rails 4
2
+
3
+ - v4.0.0 - Rails 4 compatibility. Use v3.x.x for Rails 3 apps.
4
+ - For non-ActiveRecord session stores, no change is required from the
5
+ previous version.
6
+ - For ActiveRecord session stores, you must add the
7
+ 'activerecord-session_store' gem to your Gemfile and it must be
8
+ above limited_sessions so that it will be auto-detected properly.
9
+ This is the only change required.
10
+
1
11
  * 2012-nov-14 - Merge changes from ejdraper
2
12
 
3
13
  - Lower Rack requirement to v1.2.5+ for Rails 3.0 compatibility
data/MIT-LICENSE CHANGED
@@ -1,4 +1,4 @@
1
- Copyright 2007-2012 t.e.morgan
1
+ Copyright 2007-2013 t.e.morgan
2
2
 
3
3
  Permission is hereby granted, free of charge, to any person obtaining
4
4
  a copy of this software and associated documentation files (the
data/README CHANGED
@@ -1,6 +1,6 @@
1
1
  LimitedSessions
2
2
  ===============
3
- Copyright 2007-2012 t.e.morgan.
3
+ Copyright 2007-2013 t.e.morgan.
4
4
  License: MIT
5
5
 
6
6
  Updates/info: http://iprog.com/projects#limited_sessions
@@ -10,33 +10,32 @@ Contact: tm@iprog.com
10
10
 
11
11
  LimitedSessions provides two distinct features, each in a separate part:
12
12
  * Rack-compatible middleware that expires sessions based on inactivity or
13
- maximum session length. This works with Rails 3 just fine.
14
- * Rails 3 extension to the ActiveRecord Session Store to auto-cleanup stale
15
- session records.
13
+ maximum session length. This works with Rails 4 just fine.
14
+ * Rails 4 extension to the (now separate) ActiveRecord Session Store to
15
+ auto-cleanup stale session records.
16
16
 
17
17
 
18
18
  Notes on Rails and Rack versions:
19
19
  The middleware should be compatible with any framework using a recent
20
- version of Rack. It was tested with Rack 1.4 and Rails 3.2.
20
+ version of Rack. It was tested with Rack 1.5 and Rails 4.0.
21
21
 
22
- The ActiveRecord Session Store extension requires Rails 3 (and was also
23
- tested with Rails 3.2).
24
-
25
- Versions compatible with Rails 2.3 and Rails 2.2/prior can be found at:
26
- https://github.com/zarqman/limited_sessions/tree/v2.3 and
27
- https://github.com/zarqman/limited_sessions/tree/v2.2
22
+ The ActiveRecord Session Store extension requires Rails 4 and the now
23
+ separate activerecord-session_store gem:
24
+ gem 'activerecord-session_store'
25
+ activerecord-session_store must be *before* limited_sessions in your Gemfile
26
+ in order for limited_sessions to auto-detect it.
27
+
28
+ For Rails 3, use limited_sessions v3.x.x:
29
+ gem 'limited_sessions', '~> 3.0'
28
30
 
29
31
 
30
32
  Upgrading from previous versions:
31
- Both initialization and configuration options have changed. See the
32
- Configuration section below.
33
-
34
- Note that all support for IP address restrictions has been removed. IPv4/IPv6
35
- dual-stack environments have demonstrated a number of real-world issues,
36
- namely user HTTP traffic bouncing between IPv4 and IPv6 resulting in chronic
37
- session resets. Additionally, homes and offices increasingly have two or more
38
- ISPs, not to mention mobile devices bouncing between WiFi and 3G/4G networks.
39
- These scenarios also cause frequent IP address changes.
33
+ Other than possibly requiring the activerecord-session_store gem as noted
34
+ above, no changes are required upgrading from limited_sessions 3.x to 4.0.
35
+
36
+ If upgrading from limited_sessions v2.x, please review the upgrade notes from
37
+ limited_sessions 3.x or build a new configuration using the instructions
38
+ below.
40
39
 
41
40
 
42
41
  Features:
@@ -50,11 +49,11 @@ Features:
50
49
 
51
50
 
52
51
  Requirements:
53
- * Rack and possibly Rails 3
52
+ * Rack and any Rack-compatible app (including Rails 4)
54
53
  * Utilizing Rack's (or Rails') sessions support
55
54
  * For ActiveRecord session enhancements:
56
55
  * Must be using the standard ActiveRecord::SessionStore
57
- (ActionController::Base.session_store = :active_record_store)
56
+ (ActionDispatch::Session::ActiveRecordStore.session_store = :active_record_store)
58
57
  * Ensure your sessions table has an `updated_at` column
59
58
  * If using hard session limits, a `created_at` column is needed too
60
59
 
@@ -63,28 +62,27 @@ Installation:
63
62
  Add this gem to your Gemfile (Rails) or otherwise make it available to your
64
63
  app. Then, configure as required.
65
64
 
66
- gem 'limited_sessions'
65
+ gem 'limited_sessions', '~> 4.0'
67
66
 
68
67
 
69
68
  Configuration:
70
69
  Rack Middleware with Rails
71
- 1. To either your config/environments/production.rb or your
72
- config/application.rb file (depending on if you want this to apply in
73
- production only or also during development), add the following:
70
+ 1. Update your config/initializers/session_store.rb and append the
71
+ following:
74
72
 
75
73
  config.middleware.insert_after ActionDispatch::Flash, LimitedSessions::Expiry, \
76
- :recent_activity=>2.hours, :max_session=>24.hours
74
+ recent_activity: 2.hours, max_session: 24.hours
77
75
 
78
76
  2. Configuration options.
79
77
  The example above shows both configuration options. You may include
80
78
  both, one, or none.
81
79
 
82
80
  * Session activity timeout *
83
- Example: :recent_activity => 2.hours
81
+ Example: recent_activity: 2.hours
84
82
  By default, the session activity timeout is disabled (nil).
85
83
 
86
84
  * Maximum session length *
87
- Example: :max_session => 24.hours
85
+ Example: max_session: 24.hours
88
86
  By default, the maximum session length is disabled (nil).
89
87
 
90
88
 
@@ -92,7 +90,7 @@ Configuration:
92
90
  1. In your config.ru, add the following *after* the middleware that handles
93
91
  your sessions.
94
92
 
95
- use LimitedSessions::Expiry, :recent_activity=>2.hours, :max_session=>24.hours
93
+ use LimitedSessions::Expiry, recent_activity: 2.hours, max_session: 24.hours
96
94
 
97
95
  2. See #2 above, under Rack Middleware with Rails, for Configuration options.
98
96
 
@@ -106,7 +104,7 @@ Configuration:
106
104
  config/initializers/session_store.rb to reflect the following:
107
105
 
108
106
  <YourApp>::Application.config.session_store :active_record_store
109
- ActiveRecord::SessionStore.session_class = LimitedSessions::SelfCleaningSession
107
+ ActionDispatch::Session::ActiveRecordStore.session_class = LimitedSessions::SelfCleaningSession
110
108
 
111
109
  3. Configuration options.
112
110
  Each of the following options should also be added to your initializer
@@ -114,9 +112,9 @@ Configuration:
114
112
 
115
113
 
116
114
  * Self-cleaning *
117
- By default, SelfCleaningSession will clean sessions out about every 1000
118
- page views. Technically, it's a 1 in 1000 chance on each page. For most
119
- sites this is good. Higher traffic sites may want to increase it to
115
+ By default, SelfCleaningSession will clean the sessions table about every
116
+ 1000 page views. Technically, it's a 1 in 1000 chance on each page. For
117
+ most sites this is good. Higher traffic sites may want to increase it to
120
118
  10000 or more. 0 will disable self-cleaning.
121
119
 
122
120
  LimitedSessions::SelfCleaningSession.self_clean_sessions = 1000
@@ -185,17 +183,47 @@ Other questions:
185
183
  triggering the recent activity timeout, after 12 hours their session would
186
184
  be reset anyway.
187
185
 
186
+ What are the security implications of using LimitedSessions?
187
+ LimitedSessions enhances security by reducing risk of session cookie replay
188
+ attacks. The specifics will depend on what cookie store you're using.
189
+
190
+ For Rails' default cookie store, :max_session handling is perhaps most
191
+ valuable as it guarantees an end to the session. Rails' default behavior
192
+ allows a session to last for an infinite time. If a cookie is somehow
193
+ exposed, the holder of the cookie has an open-ended session. Note that
194
+ signing and/or encryption do not mitigate this.
195
+
196
+ For any session store that uses a server-side database (AR, memcache, Redis,
197
+ etc.), at least the user can formally logout and terminate the session.
198
+ Auto-expiring sessions (memcache, Redis, AR w/SelfCleaningSession, etc.)
199
+ will also expire if allowed to, but can also be maintained perpetually by
200
+ ongoing access.
201
+
202
+ Since the cookie store doesn't expire ever, :recent_activity addresses this
203
+ by making sessions expire similarly to if memcache, Redis, or something
204
+ similar was being used.
205
+
206
+ It is recommended to use both halves of LimitedSessions for best security.
207
+
208
+ What are the performance implications of using LimitedSessions?
209
+ The middleware should have minimal impact.
210
+
211
+ The AR enhancement should result in an overall net gain in performance as
212
+ the size of the AR sessions table will be kept to a smaller size. The 1 in
213
+ 1000 hit (or whatever you've configured it to) may be slightly slower while
214
+ the database cleanup is in progress.
215
+
188
216
  Is the AR enhancement compatible with the legacy 'sessid' column?
189
217
  No. Please rename that column to 'session_id'.
190
218
 
191
219
 
192
220
  Other Notes:
193
- I'm sure there are better ways to do some of what's here, but this seems to
194
- work. This version has been tested on Rack 1.4, Rails 3.2, PostgreSQL 9.1,
195
- and Redis 2.2 (via the redis and redis-session-store gems). Other databases
196
- and session stores should work, but if you find a bug, I'd love to hear about
197
- it. Likewise, give me a shout if you have a suggestion or just want to tell
198
- me that it works. Thanks for checking limited_sessions out!
221
+ This version has been tested on Rack 1.5 and Rails 4.0. It should be
222
+ compatible with a broad spectrum of data and session stores. If you find a
223
+ bug, I'd love to hear about it -- preferably via a new issue on GitHub (bonus
224
+ points for a pull request). Likewise, give me a shout if you have a suggestion
225
+ or just want to tell me that it works. Thanks for checking limited_sessions
226
+ out!
199
227
 
200
228
  --t (tm@iprog.com; http://iprog.com/)
201
229
 
@@ -1,11 +1,11 @@
1
1
  # LimitedSessions
2
- # (c) 2007-2012 t.e.morgan
2
+ # (c) 2007-2013 t.e.morgan
3
3
  # Made available under the MIT license
4
4
 
5
5
  module LimitedSessions
6
6
  end
7
7
 
8
8
  require 'limited_sessions/expiry'
9
- if defined? ActiveRecord
9
+ if defined? ActiveRecord::SessionStore::Session
10
10
  require 'limited_sessions/self_cleaning_session'
11
11
  end
@@ -1,9 +1,9 @@
1
1
  # LimitedSessions
2
- # (c) 2007-2012 t.e.morgan
2
+ # (c) 2007-2013 t.e.morgan
3
3
  # Made available under the MIT license
4
4
 
5
- # This version is compatible with Rack 1.4 (possibly earlier; untested).
6
- # Correspondingly, it is compatible with Rails 3.x.
5
+ # This version is compatible with Rack 1.4-1.5 (possibly earlier; untested).
6
+ # Correspondingly, it is compatible with Rails 3.x-4.x.
7
7
 
8
8
  module LimitedSessions
9
9
  # Rack middleware that should be installed *after* the session handling middleware
@@ -2,13 +2,13 @@
2
2
  # (c) 2007-2012 t.e.morgan
3
3
  # Made available under the MIT license
4
4
 
5
- # This is the Rails 3.x version; it is /not/ compatible with Rails 2.x.
5
+ # This is the Rails 4.x version.
6
6
 
7
7
  module LimitedSessions
8
8
  class SelfCleaningSession < ActiveRecord::SessionStore::Session
9
9
 
10
10
  # disable short circuit by Dirty module; ensures :updated_at is kept updated
11
- self.partial_updates = false
11
+ self.partial_writes = false
12
12
 
13
13
  self.table_name = 'sessions'
14
14
 
@@ -1,3 +1,3 @@
1
1
  module LimitedSessions
2
- VERSION = "3.0.2"
2
+ VERSION = '4.0.0'
3
3
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: limited_sessions
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.0.2
4
+ version: 4.0.0
5
5
  prerelease:
6
6
  platform: ruby
7
7
  authors:
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2012-11-15 00:00:00.000000000 Z
12
+ date: 2013-06-28 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: rack
@@ -54,17 +54,23 @@ dependencies:
54
54
  requirement: !ruby/object:Gem::Requirement
55
55
  none: false
56
56
  requirements:
57
- - - ~>
57
+ - - ! '>='
58
+ - !ruby/object:Gem::Version
59
+ version: 4.0.0.beta
60
+ - - <
58
61
  - !ruby/object:Gem::Version
59
- version: 3.2.6
62
+ version: '5'
60
63
  type: :development
61
64
  prerelease: false
62
65
  version_requirements: !ruby/object:Gem::Requirement
63
66
  none: false
64
67
  requirements:
65
- - - ~>
68
+ - - ! '>='
69
+ - !ruby/object:Gem::Version
70
+ version: 4.0.0.beta
71
+ - - <
66
72
  - !ruby/object:Gem::Version
67
- version: 3.2.6
73
+ version: '5'
68
74
  description: ! 'LimitedSessions provides two core features to handle cookie-based
69
75
  session expiry: 1) Rack Middleware for most session stores and 2) an ActiveRecord
70
76
  extension for AR-based session stores. Sessions can be expired on inactivity and/or
@@ -105,7 +111,6 @@ files:
105
111
  - test/dummy/config/locales/en.yml
106
112
  - test/dummy/config/routes.rb
107
113
  - test/dummy/config.ru
108
- - test/dummy/db/test.sqlite3
109
114
  - test/dummy/log/test.log
110
115
  - test/dummy/public/404.html
111
116
  - test/dummy/public/422.html
@@ -128,15 +133,21 @@ required_ruby_version: !ruby/object:Gem::Requirement
128
133
  - - ! '>='
129
134
  - !ruby/object:Gem::Version
130
135
  version: '0'
136
+ segments:
137
+ - 0
138
+ hash: -2419436812221565544
131
139
  required_rubygems_version: !ruby/object:Gem::Requirement
132
140
  none: false
133
141
  requirements:
134
142
  - - ! '>='
135
143
  - !ruby/object:Gem::Version
136
144
  version: '0'
145
+ segments:
146
+ - 0
147
+ hash: -2419436812221565544
137
148
  requirements: []
138
149
  rubyforge_project:
139
- rubygems_version: 1.8.24
150
+ rubygems_version: 1.8.25
140
151
  signing_key:
141
152
  specification_version: 3
142
153
  summary: Server-side session expiry via either Rack Middleware or ActiveRecord extension
@@ -162,7 +173,6 @@ test_files:
162
173
  - test/dummy/config/locales/en.yml
163
174
  - test/dummy/config/routes.rb
164
175
  - test/dummy/config.ru
165
- - test/dummy/db/test.sqlite3
166
176
  - test/dummy/log/test.log
167
177
  - test/dummy/public/404.html
168
178
  - test/dummy/public/422.html
File without changes