RubyGems - limited_sessions - Versions diffs - 3.0.2 → 5.0.0 - Mend

limited_sessions 3.0.2 → 5.0.0

Files changed (11) hide show

checksums.yaml +7 -0
data/CHANGELOG +30 -0
data/MIT-LICENSE +1 -1
data/README.md +205 -0
data/lib/limited_sessions.rb +1 -5
data/lib/limited_sessions/expiry.rb +2 -9
data/lib/limited_sessions/self_cleaning_session.rb +6 -10
data/lib/limited_sessions/version.rb +1 -1
metadata +59 -64
data/README +0 -201
data/test/dummy/db/test.sqlite3 +0 -0

checksums.yaml ADDED Viewed

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 372dbf49775aefdb7902b765bc5727c9506f6df46251d890e5a31e957ba70962
+  data.tar.gz: d2d4e1684ec8f9b183a5cdf3d4722e73d8ac8bd7d1b656b41c3fd0f3d2ed6a62
+SHA512:
+  metadata.gz: 92285992bce470310c88b656caf2a62d26bfa9315656d13bab944e44241743eb1a7bb86d912f837a13328be682a402c021d89552124577ce26e6212d84c1dba6
+  data.tar.gz: 176aea0865080e0399d2cd5f17cd3a04bb3daeccc06e5be982ed4c422bbeee6b2c1b47aaa73d7ff3a514468dcda0a39adee855916d955ecb48ec43b39b098425

data/CHANGELOG CHANGED Viewed

@@ -1,3 +1,33 @@
+* 2021-apr-20 - v5.0.0
+  - Drop support for Rack <= 2.0.8 and Rails < 5.2
+  - Update for new rubies
+  - Cleanup readme and comments
+* 2017-may-22 - v4.2.0
+  - Fixed ActiveRecord session cleanup on Rails 5.1
+  - Prevent ActiveRecord session cleanup from possibly running more often than
+    configured due to Rails loading sessions more than once per request.
+* 2016-feb-12 - v4.1.0
+  - Support Rails 5.0 & Rack 2.0
+* 2013-dec-14 - v4.0.1
+  - Fix deprecation warning
+* 2013-jun-15 - Support for Rails 4
+  - v4.0.0 - Rails 4 compatibility. Use v3.x.x for Rails 3 apps.
+  - For non-ActiveRecord session stores, no change is required from the
+    previous version.
+  - For ActiveRecord session stores, you must add the
+    'activerecord-session_store' gem to your Gemfile and it must be
+    above limited_sessions so that it will be auto-detected properly.
+    This is the only change required.
 * 2012-nov-14 - Merge changes from ejdraper
   - Lower Rack requirement to v1.2.5+ for Rails 3.0 compatibility

data/MIT-LICENSE CHANGED Viewed

@@ -1,4 +1,4 @@
-Copyright 2007-2012 t.e.morgan
+Copyright 2007-2021 t.e.morgan
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

data/README.md ADDED Viewed

@@ -0,0 +1,205 @@
+# LimitedSessions
+LimitedSessions provides two distinct features, each in a separate part:
+* Rack-compatible middleware that expires sessions based on inactivity or maximum session length. The middleware supports any session storage type, including cookies, Redis, ActiveRecord, etc.
+* Rails extension to the (now separate) ActiveRecord Session Store to auto-cleanup stale session records.
+## Features
+* For all session stores:
+  * Configurable session expiry time (eg: 2 hours from last page access)
+  * Optional hard maximum limit from beginning of session (eg: 24 hours)
+* When using the ActiveRecord Session Store:
+  * DB-based handling of session expiry (activity and hard limits) instead of by session paramters
+  * Auto-cleaning of expired session records
+## Requirements
+* Rack and any Rack-compatible app (including Rails)
+* Utilizing Rack's (or Rails') sessions
+* For ActiveRecord session enhancements:
+  * Must be using the standard ActiveRecord::SessionStore
+    (`ActionDispatch::Session::ActiveRecordStore.session_store = :active_record_store`)
+  * Ensure your sessions table has an `updated_at` column
+  * If using hard session limits, a `created_at` column is needed too
+## Compatibility
+The middleware should be compatible with any framework using a recent version of Rack. It has been tested with Rack 2.x and Rails 5.2-6.1.
+The optional ActiveRecord Session Store extension requires Rails.
+If using Rack < 2.0.9 or Rails < 5.2, use LimitedSessions 4.x.
+## Upgrading
+No changes are required to upgrade from LimitedSessions 4.x to 5.0.
+Upgrading `activerecord-session_store` from 1.x to 2.x may require changes. See its own upgrade instructions.
+## Installation
+Add this gem to your Gemfile or otherwise make it available to your app. Then, configure as required.
+```ruby
+gem 'limited_sessions', '~> 5'
+```
+If storing sessions in the DB using ActiveRecord with AR Session Store:
+```ruby
+gem 'activerecord-session_store'
+gem 'limited_sessions', '~> 5'
+```
+`activerecord-session_store` must be loaded first in order for `limited_sessions` to properly detect it.
+## Configuration
+### Rack Middleware with Rails
+1. Add/update `config/initializers/session_store.rb` and append the following:
+    ```ruby
+    config.middleware.insert_after ActionDispatch::Flash, LimitedSessions::Expiry, \
+      recent_activity: 2.hours, max_session: 24.hours
+    ```
+2. Configuration options.
+    The example above shows both configuration options. You may include one, both, or none.
+    #### Session activity timeout
+    Example: `recent_activity: 2.hours`
+    By default, the session activity timeout is disabled (`nil`).
+    #### Maximum session length
+    Example: `max_session: 24.hours`
+    By default, the maximum session length is disabled (`nil`).
+### Rack Middleware apart from Rails
+1. In `config.ru`, add the following *after* the middleware that handles your sessions.
+    ```ruby
+    use LimitedSessions::Expiry, recent_activity: 2.hours, max_session: 24.hours
+    ```
+2. For configuration options, see #2 above, under Rack Middleware with Rails.
+### ActionRecord Session Store extension
+1. If you don't already have an `updated_at` column on your sessions table, create a migration and add it. If you plan to use the hard session limit feature, you'll also need to add `created_at`.
+2. Tell Rails to use your the new session store. Change `config/initializers/session_store.rb` to reflect the following:
+    ```ruby
+    Rails.application.config.session_store :active_record_store
+    ActionDispatch::Session::ActiveRecordStore.session_class = LimitedSessions::SelfCleaningSession
+    ```
+3. Configuration options.
+    Each of the following options should also be added to your initializer file from step 2.
+    #### Self-cleaning
+    By default, SelfCleaningSession will clean the sessions table every 1000 page views. Technically, it's a 1 in 1000 chance on each page. For most sites this is good. Higher traffic sites may want to increase it to 10000 or more. Set to 0 to disable self-cleaning.
+    ```ruby
+    LimitedSessions::SelfCleaningSession.self_clean_sessions = 1000
+    ```
+    #### Session activity timeout
+    The default session activity timeout is 2 hours. This uses the `updated_at` column which will be updated on every page load.
+    This can also be disabled by setting to `nil`. However, the `updated_at` column is still required for self-cleaning and will effectively function as if set to `1.week`. If you really want it longer, set it to `1.year` or something.
+    ```ruby
+    LimitedSessions::SelfCleaningSession.recent_activity = 2.hours
+    ```
+    #### Maximum session length
+    By default, maximum session length handling is disabled. When enabled, it uses the `created_at` column to do its work.
+    A value of `nil` disables this feature and `created_at` does not need to exist in this case.
+    ```ruby
+    LimitedSessions::SelfCleaningSession.max_session = 12.hours
+    ```
+## Questions
+* Do I need both the middleware and the ActiveRecord Session Store?
+  No. While it should work, it is not necessary to use both the middleware
+  and the ActiveRecord Session Store. If you are storing sessions via AR,
+  then use the ActiveRecord Session Store. If you are storing sessions any
+  other way, then use the middleware.
+* I'm storing sessions in {Memcache, Redis, etc.} and they auto-expire sessions. Do I need this?
+  Maybe, maybe not. Normally, that auto-expire period is equivalent to LimitedSessions' :recent_activity. If that's all you want, then you don't need this. However, if you'd also like to put a maximum cap on session length, regardless of activity, then LimitedSessions' `:max_session` feature will still be useful.
+* Can I use the middleware with ActiveRecord instead of the ActionRecord Session Store enhancement?
+  Yes. Session expiry (recent activity and max session length) should work fine in this circumstance. The only thing you won't get is self-cleaning of the AR sessions table.
+* How are session expiry times tracked?
+  The middleware adds one or two keys to the session data: `:last_visit` and/or `:first_visit`.
+  The AR enhancement uses `updated_a`t and possibly `created_at`.
+* How is this different from using the session cookie's own expires= value?
+  The cookie's own value puts the trust in the client to self-expire. If you really want to control session lengths, then you need to manage the values on the application side. LimitedSessions is fully compatible with the cookie's expires= value, however, and the two can be used together.
+* What's the difference between `:recent_activity` and `:max_session`?
+  Recent activity requires regular access on your site. If it's set to 15 minutes, then a page must be loaded at least once every 15 minutes.
+  Max session is a cap on the session from the very beginning. If it's set to 12 hours, then even if a user is accessing the page constantly, and not triggering the recent activity timeout, after 12 hours their session would be reset anyway.
+* What are the security implications of using LimitedSessions?
+  LimitedSessions enhances security by reducing risk of session cookie replay attacks. The specifics will depend on what cookie store you're using.
+  For Rails' default cookie store, `:max_session` handling is perhaps most valuable as it guarantees an end to the session. Rails' default behavior allows a session to last for an infinite time. If a cookie is somehow exposed, the holder of the cookie has an open-ended session. Note that signing and/or encryption do not mitigate this.
+  For any session store that uses a server-side database (AR, memcache, Redis, etc.), at least the user can formally logout and terminate the session. Auto-expiring sessions (memcache, Redis, AR w/SelfCleaningSession, etc.) will also expire if allowed to, but can also be maintained perpetually by ongoing access.
+  Since the cookie store doesn't expire ever, `:recent_activity` addresses this by making sessions expire similarly to if memcache, Redis, or something similar was being used.
+  It is recommended to use both aspects of LimitedSessions for best security.
+* What are the performance implications of using LimitedSessions?
+  The middleware should have minimal impact.
+  The AR enhancement should result in an overall net gain in performance as the size of the AR sessions table will be kept to a smaller size. The 1 in 1000 hit (or whatever you've configured it to) may be slightly slower while the database cleanup is in progress.
+## Contributing
+1. Fork it ( https://github.com/zarqman/smart_assets/fork )
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request
+## License
+MIT

data/lib/limited_sessions.rb CHANGED Viewed

@@ -1,11 +1,7 @@
-# LimitedSessions
-# (c) 2007-2012 t.e.morgan
-# Made available under the MIT license
 module LimitedSessions
 end
 require 'limited_sessions/expiry'
-if defined? ActiveRecord
+if defined? ActiveRecord::SessionStore::Session
   require 'limited_sessions/self_cleaning_session'
 end

data/lib/limited_sessions/expiry.rb CHANGED Viewed

@@ -1,16 +1,9 @@
-# LimitedSessions
-# (c) 2007-2012 t.e.morgan
-# Made available under the MIT license
-# This version is compatible with Rack 1.4 (possibly earlier; untested).
-# Correspondingly, it is compatible with Rails 3.x.
 module LimitedSessions
   # Rack middleware that should be installed *after* the session handling middleware
   class Expiry
     DEFAULT_OPTIONS = {
-      :recent_activity => nil,  # eg: 2.hours
-      :max_session => nil       # eg: 24.hours
+      recent_activity: nil,  # eg: 2.hours
+      max_session: nil       # eg: 24.hours
     }
     def initialize(app, options={})

data/lib/limited_sessions/self_cleaning_session.rb CHANGED Viewed

@@ -1,14 +1,8 @@
-# LimitedSessions
-# (c) 2007-2012 t.e.morgan
-# Made available under the MIT license
-# This is the Rails 3.x version; it is /not/ compatible with Rails 2.x.
 module LimitedSessions
   class SelfCleaningSession < ActiveRecord::SessionStore::Session
     # disable short circuit by Dirty module; ensures :updated_at is kept updated
-    self.partial_updates = false
+    self.partial_writes = false
     self.table_name = 'sessions'
@@ -29,19 +23,21 @@ module LimitedSessions
       # If this is a problem, use a migration and rename the column.
       def find_by_session_id(session_id)
         consider_self_clean
-        active_session.current_session.where(:session_id=>session_id).first
+        active_session.current_session.where(session_id: session_id).first
       end
       private
       def consider_self_clean
         return if self_clean_sessions == 0
+        return if defined?(@@last_check) && @@last_check == Time.now.to_i
         if rand(self_clean_sessions) == 0
+          @@last_check = Time.now.to_i
           # logger.info "SelfCleaningSession :: scrubbing expired sessions"
           look_back_recent = recent_activity || 1.week
           if max_session
-            delete_all ['updated_at < ? OR created_at < ?', Time.current - look_back_recent, Time.current - max_session]
+            self.where('updated_at < ? OR created_at < ?', Time.current - look_back_recent, Time.current - max_session).delete_all
           elsif columns_hash['updated_at']
-            delete_all ['updated_at < ?', Time.current - look_back_recent]
+            self.where('updated_at < ?', Time.current - look_back_recent).delete_all
           else
             # logger.warning "WARNING: Unable to self-clean Sessions table; updated_at column is missing"
             self.self_clean_sessions = 0

data/lib/limited_sessions/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module LimitedSessions
-  VERSION = "3.0.2"
+  VERSION = '5.0.0'
 end

metadata CHANGED Viewed

@@ -1,94 +1,96 @@
 --- !ruby/object:Gem::Specification
 name: limited_sessions
 version: !ruby/object:Gem::Version
-  version: 3.0.2
-  prerelease:
+  version: 5.0.0
 platform: ruby
 authors:
 - t.e.morgan
-autorequire:
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2012-11-15 00:00:00.000000000 Z
+date: 2021-04-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 1.2.5
-    - - <
+        version: 2.0.9
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '3'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 1.2.5
-    - - <
+        version: 2.0.9
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '3'
 - !ruby/object:Gem::Dependency
   name: sqlite3
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: rails
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ~>
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 3.2.6
+        version: '5.2'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '6.2'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ~>
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '5.2'
+    - - "<"
       - !ruby/object:Gem::Version
-        version: 3.2.6
-description: ! 'LimitedSessions provides two core features to handle cookie-based
-  session expiry: 1) Rack Middleware for most session stores and 2) an ActiveRecord
-  extension for AR-based session stores. Sessions can be expired on inactivity and/or
-  overall session length.'
+        version: '6.2'
+description: 'LimitedSessions provides two core features to handle cookie-based session
+  expiry: 1) Rack Middleware for most session stores and 2) an ActiveRecord extension
+  for AR-based session stores. Sessions can be expired on inactivity and/or overall
+  session length.'
 email:
 - tm@iprog.com
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- CHANGELOG
+- MIT-LICENSE
+- README.md
+- Rakefile
+- lib/limited_sessions.rb
 - lib/limited_sessions/expiry.rb
 - lib/limited_sessions/self_cleaning_session.rb
 - lib/limited_sessions/version.rb
-- lib/limited_sessions.rb
 - lib/tasks/limited_sessions_tasks.rake
-- MIT-LICENSE
-- Rakefile
-- README
-- CHANGELOG
+- test/dummy/README.rdoc
+- test/dummy/Rakefile
 - test/dummy/app/assets/javascripts/application.js
 - test/dummy/app/assets/stylesheets/application.css
 - test/dummy/app/controllers/application_controller.rb
 - test/dummy/app/helpers/application_helper.rb
 - test/dummy/app/views/layouts/application.html.erb
+- test/dummy/config.ru
 - test/dummy/config/application.rb
 - test/dummy/config/boot.rb
 - test/dummy/config/database.yml
@@ -104,72 +106,65 @@ files:
 - test/dummy/config/initializers/wrap_parameters.rb
 - test/dummy/config/locales/en.yml
 - test/dummy/config/routes.rb
-- test/dummy/config.ru
-- test/dummy/db/test.sqlite3
 - test/dummy/log/test.log
 - test/dummy/public/404.html
 - test/dummy/public/422.html
 - test/dummy/public/500.html
 - test/dummy/public/favicon.ico
-- test/dummy/Rakefile
-- test/dummy/README.rdoc
 - test/dummy/script/rails
 - test/limited_sessions_test.rb
 - test/test_helper.rb
-homepage: http://iprog.com/projects#limited_sessions
+homepage: https://iprog.com/projects#limited_sessions
 licenses: []
-post_install_message:
+metadata: {}
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project:
-rubygems_version: 1.8.24
-signing_key:
-specification_version: 3
+rubygems_version: 3.0.9
+signing_key:
+specification_version: 4
 summary: Server-side session expiry via either Rack Middleware or ActiveRecord extension
 test_files:
+- test/dummy/app/controllers/application_controller.rb
+- test/dummy/app/views/layouts/application.html.erb
 - test/dummy/app/assets/javascripts/application.js
 - test/dummy/app/assets/stylesheets/application.css
-- test/dummy/app/controllers/application_controller.rb
 - test/dummy/app/helpers/application_helper.rb
-- test/dummy/app/views/layouts/application.html.erb
-- test/dummy/config/application.rb
-- test/dummy/config/boot.rb
-- test/dummy/config/database.yml
-- test/dummy/config/environment.rb
-- test/dummy/config/environments/development.rb
+- test/dummy/config/routes.rb
+- test/dummy/config/locales/en.yml
 - test/dummy/config/environments/production.rb
+- test/dummy/config/environments/development.rb
 - test/dummy/config/environments/test.rb
+- test/dummy/config/environment.rb
+- test/dummy/config/application.rb
+- test/dummy/config/database.yml
+- test/dummy/config/boot.rb
 - test/dummy/config/initializers/backtrace_silencers.rb
-- test/dummy/config/initializers/inflections.rb
 - test/dummy/config/initializers/mime_types.rb
-- test/dummy/config/initializers/secret_token.rb
 - test/dummy/config/initializers/session_store.rb
 - test/dummy/config/initializers/wrap_parameters.rb
-- test/dummy/config/locales/en.yml
-- test/dummy/config/routes.rb
+- test/dummy/config/initializers/secret_token.rb
+- test/dummy/config/initializers/inflections.rb
 - test/dummy/config.ru
-- test/dummy/db/test.sqlite3
-- test/dummy/log/test.log
-- test/dummy/public/404.html
+- test/dummy/script/rails
+- test/dummy/Rakefile
+- test/dummy/public/favicon.ico
 - test/dummy/public/422.html
 - test/dummy/public/500.html
-- test/dummy/public/favicon.ico
-- test/dummy/Rakefile
+- test/dummy/public/404.html
+- test/dummy/log/test.log
 - test/dummy/README.rdoc
-- test/dummy/script/rails
 - test/limited_sessions_test.rb
 - test/test_helper.rb

data/README DELETED Viewed

@@ -1,201 +0,0 @@
-LimitedSessions
-===============
-Copyright 2007-2012 t.e.morgan.
-License: MIT
-Updates/info: http://iprog.com/projects#limited_sessions
-Source: https://github.com/zarqman/limited_sessions
-Contact: tm@iprog.com
-LimitedSessions provides two distinct features, each in a separate part:
-  * Rack-compatible middleware that expires sessions based on inactivity or
-    maximum session length. This works with Rails 3 just fine.
-  * Rails 3 extension to the ActiveRecord Session Store to auto-cleanup stale
-    session records.
-Notes on Rails and Rack versions:
-  The middleware should be compatible with any framework using a recent
-  version of Rack. It was tested with Rack 1.4 and Rails 3.2.
-  The ActiveRecord Session Store extension requires Rails 3 (and was also
-  tested with Rails 3.2).
-  Versions compatible with Rails 2.3 and Rails 2.2/prior can be found at:
-  https://github.com/zarqman/limited_sessions/tree/v2.3 and
-  https://github.com/zarqman/limited_sessions/tree/v2.2
-Upgrading from previous versions:
-  Both initialization and configuration options have changed. See the
-  Configuration section below.
-  Note that all support for IP address restrictions has been removed. IPv4/IPv6
-  dual-stack environments have demonstrated a number of real-world issues,
-  namely user HTTP traffic bouncing between IPv4 and IPv6 resulting in chronic
-  session resets. Additionally, homes and offices increasingly have two or more
-  ISPs, not to mention mobile devices bouncing between WiFi and 3G/4G networks.
-  These scenarios also cause frequent IP address changes.
-Features:
-  * For all session stores:
-    * Configurable session expiry time (eg: 2 hours from last page access)
-    * Optional hard maximum limit from beginning of session (eg: 24 hours)
-  * When using the ActiveRecord Session Store:
-    * DB-based handling of session expiry (activity and hard limits) instead of
-      by session paramters
-    * Auto-cleaning of expired session records
-Requirements:
-  * Rack and possibly Rails 3
-  * Utilizing Rack's (or Rails') sessions support
-  * For ActiveRecord session enhancements:
-    * Must be using the standard ActiveRecord::SessionStore
-      (ActionController::Base.session_store = :active_record_store)
-    * Ensure your sessions table has an `updated_at` column
-    * If using hard session limits, a `created_at` column is needed too
-Installation:
-  Add this gem to your Gemfile (Rails) or otherwise make it available to your
-  app. Then, configure as required.
-  gem 'limited_sessions'
-Configuration:
-  Rack Middleware with Rails
-    1. To either your config/environments/production.rb or your
-       config/application.rb file (depending on if you want this to apply in
-       production only or also during development), add the following:
-       config.middleware.insert_after ActionDispatch::Flash, LimitedSessions::Expiry, \
-         :recent_activity=>2.hours, :max_session=>24.hours
-    2. Configuration options.
-       The example above shows both configuration options. You may include
-       both, one, or none.
-       * Session activity timeout *
-       Example: :recent_activity => 2.hours
-       By default, the session activity timeout is disabled (nil).
-       * Maximum session length *
-       Example: :max_session => 24.hours
-       By default, the maximum session length is disabled (nil).
-  Rack Middleware apart from Rails
-    1. In your config.ru, add the following *after* the middleware that handles
-       your sessions.
-       use LimitedSessions::Expiry, :recent_activity=>2.hours, :max_session=>24.hours
-    2. See #2 above, under Rack Middleware with Rails, for Configuration options.
-  ActionRecord Session Store
-    1. If you don't already have an 'updated_at' column on your sessions table,
-       create a migration and add it. If you plan to use the hard session limit
-       feature, you'll also need to add 'created_at'.
-    2. Tell Rails to use your the new session store. Change
-       config/initializers/session_store.rb to reflect the following:
-       <YourApp>::Application.config.session_store :active_record_store
-       ActiveRecord::SessionStore.session_class = LimitedSessions::SelfCleaningSession
-    3. Configuration options.
-       Each of the following options should also be added to your initializer
-       file from step 2.
-       * Self-cleaning *
-       By default, SelfCleaningSession will clean sessions out about every 1000
-       page views. Technically, it's a 1 in 1000 chance on each page. For most
-       sites this is good. Higher traffic sites may want to increase it to
-       10000 or more. 0 will disable self-cleaning.
-       LimitedSessions::SelfCleaningSession.self_clean_sessions = 1000
-       * Session activity timeout *
-       The default session activity timeout is 2 hours. This uses the
-       'updated_at' column which will be updated on every page load.
-       This can also be disabled by setting to nil. However, the 'updated_at'
-       column is still required for self-cleaning and will effectively function
-       as if this was set to 1.week. If you really want it longer, set it to
-       1.year or something.
-       LimitedSessions::SelfCleaningSession.recent_activity = 2.hours
-       * Maximum session length *
-       By default, the maximum session length handling is disabled. When
-       enabled, it uses the 'created_at' column to do its work.
-       A value of nil disables this feature and 'created_at' does not need to
-       exist in this case.
-       LimitedSessions::SelfCleaningSession.max_session = 12.hours
-Other questions:
-  Do I need both the middleware and the ActiveRecord Session Store?
-    No. While it should work, it is not necessary to use both the middleware
-    and the ActiveRecord Session Store. If you are storing sessions via AR,
-    then use the ActiveRecord Session Store. If you are storing sessions any
-    other way, then use the middleware.
-  I'm storing sessions in {Memcache, Redis, etc.} and they auto-expire
-  sessions. Do I need this?
-    Maybe, maybe not. Normally, that auto-expire period is equivalent to
-    LimitedSessions' :recent_activity. If that's all you want, then you don't
-    need this. However, if you'd also like to put a maximum cap on session
-    length, regardless of activity, then LimitedSessions' :max_session feature
-    will still be useful.
-  Can I use the middleware with ActiveRecord instead of the ActionRecord
-  Session Store enhancement?
-    Yes; session expiry (recent activity and max session length) should work
-    fine in this circumstance. The only thing you won't get is self-cleaning of
-    the AR sessions table.
-  How are session expiry times tracked?
-    The middleware adds one or two keys to the session data: :last_visit and/or
-    :first_visit.
-    The AR enhancement uses 'updated_at' and possibly 'created_at'.
-  How is this different from using the session cookie's own expires= value?
-    The cookie's own value puts the trust in the client to self-expire. If you
-    really want to control session lengths, then you need to manage the values
-    on the application side. LimitedSessions is fully compatible with the
-    cookie's expires= value, however, and the two can be used together.
-  What's the difference between :recent_activity and :max_session?
-    Recent activity requires regular access on your site. If it's set to 15
-    minutes, then a page must be loaded at least once every 15 minutes.
-    Max session is a cap on the session from the very beginning. If it's set to
-    12 hours, then even if a user is accessing the page constantly, and not
-    triggering the recent activity timeout, after 12 hours their session would
-    be reset anyway.
-  Is the AR enhancement compatible with the legacy 'sessid' column?
-    No. Please rename that column to 'session_id'.
-Other Notes:
-  I'm sure there are better ways to do some of what's here, but this seems to
-  work. This version has been tested on Rack 1.4, Rails 3.2, PostgreSQL 9.1,
-  and Redis 2.2 (via the redis and redis-session-store gems). Other databases
-  and session stores should work, but if you find a bug, I'd love to hear about
-  it. Likewise, give me a shout if you have a suggestion or just want to tell
-  me that it works. Thanks for checking limited_sessions out!
-      --t (tm@iprog.com; http://iprog.com/)

data/test/dummy/db/test.sqlite3 DELETED Viewed

File without changes