limited_sessions 3.0.2 → 4.0.0
Sign up to get free protection for your applications and to get access to all the features.
- data/CHANGELOG +10 -0
- data/MIT-LICENSE +1 -1
- data/README +68 -40
- data/lib/limited_sessions.rb +2 -2
- data/lib/limited_sessions/expiry.rb +3 -3
- data/lib/limited_sessions/self_cleaning_session.rb +2 -2
- data/lib/limited_sessions/version.rb +1 -1
- metadata +19 -9
- data/test/dummy/db/test.sqlite3 +0 -0
data/CHANGELOG
CHANGED
@@ -1,3 +1,13 @@
|
|
1
|
+
* 2013-jun-15 - Support for Rails 4
|
2
|
+
|
3
|
+
- v4.0.0 - Rails 4 compatibility. Use v3.x.x for Rails 3 apps.
|
4
|
+
- For non-ActiveRecord session stores, no change is required from the
|
5
|
+
previous version.
|
6
|
+
- For ActiveRecord session stores, you must add the
|
7
|
+
'activerecord-session_store' gem to your Gemfile and it must be
|
8
|
+
above limited_sessions so that it will be auto-detected properly.
|
9
|
+
This is the only change required.
|
10
|
+
|
1
11
|
* 2012-nov-14 - Merge changes from ejdraper
|
2
12
|
|
3
13
|
- Lower Rack requirement to v1.2.5+ for Rails 3.0 compatibility
|
data/MIT-LICENSE
CHANGED
data/README
CHANGED
@@ -1,6 +1,6 @@
|
|
1
1
|
LimitedSessions
|
2
2
|
===============
|
3
|
-
Copyright 2007-
|
3
|
+
Copyright 2007-2013 t.e.morgan.
|
4
4
|
License: MIT
|
5
5
|
|
6
6
|
Updates/info: http://iprog.com/projects#limited_sessions
|
@@ -10,33 +10,32 @@ Contact: tm@iprog.com
|
|
10
10
|
|
11
11
|
LimitedSessions provides two distinct features, each in a separate part:
|
12
12
|
* Rack-compatible middleware that expires sessions based on inactivity or
|
13
|
-
maximum session length. This works with Rails
|
14
|
-
* Rails
|
15
|
-
session records.
|
13
|
+
maximum session length. This works with Rails 4 just fine.
|
14
|
+
* Rails 4 extension to the (now separate) ActiveRecord Session Store to
|
15
|
+
auto-cleanup stale session records.
|
16
16
|
|
17
17
|
|
18
18
|
Notes on Rails and Rack versions:
|
19
19
|
The middleware should be compatible with any framework using a recent
|
20
|
-
version of Rack. It was tested with Rack 1.
|
20
|
+
version of Rack. It was tested with Rack 1.5 and Rails 4.0.
|
21
21
|
|
22
|
-
The ActiveRecord Session Store extension requires Rails
|
23
|
-
|
24
|
-
|
25
|
-
|
26
|
-
|
27
|
-
|
22
|
+
The ActiveRecord Session Store extension requires Rails 4 and the now
|
23
|
+
separate activerecord-session_store gem:
|
24
|
+
gem 'activerecord-session_store'
|
25
|
+
activerecord-session_store must be *before* limited_sessions in your Gemfile
|
26
|
+
in order for limited_sessions to auto-detect it.
|
27
|
+
|
28
|
+
For Rails 3, use limited_sessions v3.x.x:
|
29
|
+
gem 'limited_sessions', '~> 3.0'
|
28
30
|
|
29
31
|
|
30
32
|
Upgrading from previous versions:
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
-
|
35
|
-
|
36
|
-
|
37
|
-
session resets. Additionally, homes and offices increasingly have two or more
|
38
|
-
ISPs, not to mention mobile devices bouncing between WiFi and 3G/4G networks.
|
39
|
-
These scenarios also cause frequent IP address changes.
|
33
|
+
Other than possibly requiring the activerecord-session_store gem as noted
|
34
|
+
above, no changes are required upgrading from limited_sessions 3.x to 4.0.
|
35
|
+
|
36
|
+
If upgrading from limited_sessions v2.x, please review the upgrade notes from
|
37
|
+
limited_sessions 3.x or build a new configuration using the instructions
|
38
|
+
below.
|
40
39
|
|
41
40
|
|
42
41
|
Features:
|
@@ -50,11 +49,11 @@ Features:
|
|
50
49
|
|
51
50
|
|
52
51
|
Requirements:
|
53
|
-
* Rack and
|
52
|
+
* Rack and any Rack-compatible app (including Rails 4)
|
54
53
|
* Utilizing Rack's (or Rails') sessions support
|
55
54
|
* For ActiveRecord session enhancements:
|
56
55
|
* Must be using the standard ActiveRecord::SessionStore
|
57
|
-
(
|
56
|
+
(ActionDispatch::Session::ActiveRecordStore.session_store = :active_record_store)
|
58
57
|
* Ensure your sessions table has an `updated_at` column
|
59
58
|
* If using hard session limits, a `created_at` column is needed too
|
60
59
|
|
@@ -63,28 +62,27 @@ Installation:
|
|
63
62
|
Add this gem to your Gemfile (Rails) or otherwise make it available to your
|
64
63
|
app. Then, configure as required.
|
65
64
|
|
66
|
-
gem 'limited_sessions'
|
65
|
+
gem 'limited_sessions', '~> 4.0'
|
67
66
|
|
68
67
|
|
69
68
|
Configuration:
|
70
69
|
Rack Middleware with Rails
|
71
|
-
1.
|
72
|
-
|
73
|
-
production only or also during development), add the following:
|
70
|
+
1. Update your config/initializers/session_store.rb and append the
|
71
|
+
following:
|
74
72
|
|
75
73
|
config.middleware.insert_after ActionDispatch::Flash, LimitedSessions::Expiry, \
|
76
|
-
:
|
74
|
+
recent_activity: 2.hours, max_session: 24.hours
|
77
75
|
|
78
76
|
2. Configuration options.
|
79
77
|
The example above shows both configuration options. You may include
|
80
78
|
both, one, or none.
|
81
79
|
|
82
80
|
* Session activity timeout *
|
83
|
-
Example: :
|
81
|
+
Example: recent_activity: 2.hours
|
84
82
|
By default, the session activity timeout is disabled (nil).
|
85
83
|
|
86
84
|
* Maximum session length *
|
87
|
-
Example: :
|
85
|
+
Example: max_session: 24.hours
|
88
86
|
By default, the maximum session length is disabled (nil).
|
89
87
|
|
90
88
|
|
@@ -92,7 +90,7 @@ Configuration:
|
|
92
90
|
1. In your config.ru, add the following *after* the middleware that handles
|
93
91
|
your sessions.
|
94
92
|
|
95
|
-
use LimitedSessions::Expiry, :
|
93
|
+
use LimitedSessions::Expiry, recent_activity: 2.hours, max_session: 24.hours
|
96
94
|
|
97
95
|
2. See #2 above, under Rack Middleware with Rails, for Configuration options.
|
98
96
|
|
@@ -106,7 +104,7 @@ Configuration:
|
|
106
104
|
config/initializers/session_store.rb to reflect the following:
|
107
105
|
|
108
106
|
<YourApp>::Application.config.session_store :active_record_store
|
109
|
-
|
107
|
+
ActionDispatch::Session::ActiveRecordStore.session_class = LimitedSessions::SelfCleaningSession
|
110
108
|
|
111
109
|
3. Configuration options.
|
112
110
|
Each of the following options should also be added to your initializer
|
@@ -114,9 +112,9 @@ Configuration:
|
|
114
112
|
|
115
113
|
|
116
114
|
* Self-cleaning *
|
117
|
-
By default, SelfCleaningSession will clean sessions
|
118
|
-
page views. Technically, it's a 1 in 1000 chance on each page. For
|
119
|
-
sites this is good. Higher traffic sites may want to increase it to
|
115
|
+
By default, SelfCleaningSession will clean the sessions table about every
|
116
|
+
1000 page views. Technically, it's a 1 in 1000 chance on each page. For
|
117
|
+
most sites this is good. Higher traffic sites may want to increase it to
|
120
118
|
10000 or more. 0 will disable self-cleaning.
|
121
119
|
|
122
120
|
LimitedSessions::SelfCleaningSession.self_clean_sessions = 1000
|
@@ -185,17 +183,47 @@ Other questions:
|
|
185
183
|
triggering the recent activity timeout, after 12 hours their session would
|
186
184
|
be reset anyway.
|
187
185
|
|
186
|
+
What are the security implications of using LimitedSessions?
|
187
|
+
LimitedSessions enhances security by reducing risk of session cookie replay
|
188
|
+
attacks. The specifics will depend on what cookie store you're using.
|
189
|
+
|
190
|
+
For Rails' default cookie store, :max_session handling is perhaps most
|
191
|
+
valuable as it guarantees an end to the session. Rails' default behavior
|
192
|
+
allows a session to last for an infinite time. If a cookie is somehow
|
193
|
+
exposed, the holder of the cookie has an open-ended session. Note that
|
194
|
+
signing and/or encryption do not mitigate this.
|
195
|
+
|
196
|
+
For any session store that uses a server-side database (AR, memcache, Redis,
|
197
|
+
etc.), at least the user can formally logout and terminate the session.
|
198
|
+
Auto-expiring sessions (memcache, Redis, AR w/SelfCleaningSession, etc.)
|
199
|
+
will also expire if allowed to, but can also be maintained perpetually by
|
200
|
+
ongoing access.
|
201
|
+
|
202
|
+
Since the cookie store doesn't expire ever, :recent_activity addresses this
|
203
|
+
by making sessions expire similarly to if memcache, Redis, or something
|
204
|
+
similar was being used.
|
205
|
+
|
206
|
+
It is recommended to use both halves of LimitedSessions for best security.
|
207
|
+
|
208
|
+
What are the performance implications of using LimitedSessions?
|
209
|
+
The middleware should have minimal impact.
|
210
|
+
|
211
|
+
The AR enhancement should result in an overall net gain in performance as
|
212
|
+
the size of the AR sessions table will be kept to a smaller size. The 1 in
|
213
|
+
1000 hit (or whatever you've configured it to) may be slightly slower while
|
214
|
+
the database cleanup is in progress.
|
215
|
+
|
188
216
|
Is the AR enhancement compatible with the legacy 'sessid' column?
|
189
217
|
No. Please rename that column to 'session_id'.
|
190
218
|
|
191
219
|
|
192
220
|
Other Notes:
|
193
|
-
|
194
|
-
|
195
|
-
|
196
|
-
|
197
|
-
|
198
|
-
|
221
|
+
This version has been tested on Rack 1.5 and Rails 4.0. It should be
|
222
|
+
compatible with a broad spectrum of data and session stores. If you find a
|
223
|
+
bug, I'd love to hear about it -- preferably via a new issue on GitHub (bonus
|
224
|
+
points for a pull request). Likewise, give me a shout if you have a suggestion
|
225
|
+
or just want to tell me that it works. Thanks for checking limited_sessions
|
226
|
+
out!
|
199
227
|
|
200
228
|
--t (tm@iprog.com; http://iprog.com/)
|
201
229
|
|
data/lib/limited_sessions.rb
CHANGED
@@ -1,11 +1,11 @@
|
|
1
1
|
# LimitedSessions
|
2
|
-
# (c) 2007-
|
2
|
+
# (c) 2007-2013 t.e.morgan
|
3
3
|
# Made available under the MIT license
|
4
4
|
|
5
5
|
module LimitedSessions
|
6
6
|
end
|
7
7
|
|
8
8
|
require 'limited_sessions/expiry'
|
9
|
-
if defined? ActiveRecord
|
9
|
+
if defined? ActiveRecord::SessionStore::Session
|
10
10
|
require 'limited_sessions/self_cleaning_session'
|
11
11
|
end
|
@@ -1,9 +1,9 @@
|
|
1
1
|
# LimitedSessions
|
2
|
-
# (c) 2007-
|
2
|
+
# (c) 2007-2013 t.e.morgan
|
3
3
|
# Made available under the MIT license
|
4
4
|
|
5
|
-
# This version is compatible with Rack 1.4 (possibly earlier; untested).
|
6
|
-
# Correspondingly, it is compatible with Rails 3.x.
|
5
|
+
# This version is compatible with Rack 1.4-1.5 (possibly earlier; untested).
|
6
|
+
# Correspondingly, it is compatible with Rails 3.x-4.x.
|
7
7
|
|
8
8
|
module LimitedSessions
|
9
9
|
# Rack middleware that should be installed *after* the session handling middleware
|
@@ -2,13 +2,13 @@
|
|
2
2
|
# (c) 2007-2012 t.e.morgan
|
3
3
|
# Made available under the MIT license
|
4
4
|
|
5
|
-
# This is the Rails
|
5
|
+
# This is the Rails 4.x version.
|
6
6
|
|
7
7
|
module LimitedSessions
|
8
8
|
class SelfCleaningSession < ActiveRecord::SessionStore::Session
|
9
9
|
|
10
10
|
# disable short circuit by Dirty module; ensures :updated_at is kept updated
|
11
|
-
self.
|
11
|
+
self.partial_writes = false
|
12
12
|
|
13
13
|
self.table_name = 'sessions'
|
14
14
|
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: limited_sessions
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version:
|
4
|
+
version: 4.0.0
|
5
5
|
prerelease:
|
6
6
|
platform: ruby
|
7
7
|
authors:
|
@@ -9,7 +9,7 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date:
|
12
|
+
date: 2013-06-28 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: rack
|
@@ -54,17 +54,23 @@ dependencies:
|
|
54
54
|
requirement: !ruby/object:Gem::Requirement
|
55
55
|
none: false
|
56
56
|
requirements:
|
57
|
-
- -
|
57
|
+
- - ! '>='
|
58
|
+
- !ruby/object:Gem::Version
|
59
|
+
version: 4.0.0.beta
|
60
|
+
- - <
|
58
61
|
- !ruby/object:Gem::Version
|
59
|
-
version:
|
62
|
+
version: '5'
|
60
63
|
type: :development
|
61
64
|
prerelease: false
|
62
65
|
version_requirements: !ruby/object:Gem::Requirement
|
63
66
|
none: false
|
64
67
|
requirements:
|
65
|
-
- -
|
68
|
+
- - ! '>='
|
69
|
+
- !ruby/object:Gem::Version
|
70
|
+
version: 4.0.0.beta
|
71
|
+
- - <
|
66
72
|
- !ruby/object:Gem::Version
|
67
|
-
version:
|
73
|
+
version: '5'
|
68
74
|
description: ! 'LimitedSessions provides two core features to handle cookie-based
|
69
75
|
session expiry: 1) Rack Middleware for most session stores and 2) an ActiveRecord
|
70
76
|
extension for AR-based session stores. Sessions can be expired on inactivity and/or
|
@@ -105,7 +111,6 @@ files:
|
|
105
111
|
- test/dummy/config/locales/en.yml
|
106
112
|
- test/dummy/config/routes.rb
|
107
113
|
- test/dummy/config.ru
|
108
|
-
- test/dummy/db/test.sqlite3
|
109
114
|
- test/dummy/log/test.log
|
110
115
|
- test/dummy/public/404.html
|
111
116
|
- test/dummy/public/422.html
|
@@ -128,15 +133,21 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
128
133
|
- - ! '>='
|
129
134
|
- !ruby/object:Gem::Version
|
130
135
|
version: '0'
|
136
|
+
segments:
|
137
|
+
- 0
|
138
|
+
hash: -2419436812221565544
|
131
139
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
132
140
|
none: false
|
133
141
|
requirements:
|
134
142
|
- - ! '>='
|
135
143
|
- !ruby/object:Gem::Version
|
136
144
|
version: '0'
|
145
|
+
segments:
|
146
|
+
- 0
|
147
|
+
hash: -2419436812221565544
|
137
148
|
requirements: []
|
138
149
|
rubyforge_project:
|
139
|
-
rubygems_version: 1.8.
|
150
|
+
rubygems_version: 1.8.25
|
140
151
|
signing_key:
|
141
152
|
specification_version: 3
|
142
153
|
summary: Server-side session expiry via either Rack Middleware or ActiveRecord extension
|
@@ -162,7 +173,6 @@ test_files:
|
|
162
173
|
- test/dummy/config/locales/en.yml
|
163
174
|
- test/dummy/config/routes.rb
|
164
175
|
- test/dummy/config.ru
|
165
|
-
- test/dummy/db/test.sqlite3
|
166
176
|
- test/dummy/log/test.log
|
167
177
|
- test/dummy/public/404.html
|
168
178
|
- test/dummy/public/422.html
|
data/test/dummy/db/test.sqlite3
DELETED
File without changes
|