RubyGems - limited_sessions - Versions diffs - 3.0.2 → 5.0.0 - Mend

limited_sessions 3.0.2 → 5.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

checksums.yaml +7 -0
data/CHANGELOG +30 -0
data/MIT-LICENSE +1 -1
data/README.md +205 -0
data/lib/limited_sessions.rb +1 -5
data/lib/limited_sessions/expiry.rb +2 -9
data/lib/limited_sessions/self_cleaning_session.rb +6 -10
data/lib/limited_sessions/version.rb +1 -1
metadata +59 -64
data/README +0 -201
data/test/dummy/db/test.sqlite3 +0 -0

checksums.yaml ADDED Viewed

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 372dbf49775aefdb7902b765bc5727c9506f6df46251d890e5a31e957ba70962
+  data.tar.gz: d2d4e1684ec8f9b183a5cdf3d4722e73d8ac8bd7d1b656b41c3fd0f3d2ed6a62
+SHA512:
+  metadata.gz: 92285992bce470310c88b656caf2a62d26bfa9315656d13bab944e44241743eb1a7bb86d912f837a13328be682a402c021d89552124577ce26e6212d84c1dba6
+  data.tar.gz: 176aea0865080e0399d2cd5f17cd3a04bb3daeccc06e5be982ed4c422bbeee6b2c1b47aaa73d7ff3a514468dcda0a39adee855916d955ecb48ec43b39b098425

data/CHANGELOG CHANGED Viewed

@@ -1,3 +1,33 @@
+* 2021-apr-20 - v5.0.0
+  - Drop support for Rack <= 2.0.8 and Rails < 5.2
+  - Update for new rubies
+  - Cleanup readme and comments
+* 2017-may-22 - v4.2.0
+  - Fixed ActiveRecord session cleanup on Rails 5.1
+  - Prevent ActiveRecord session cleanup from possibly running more often than
+    configured due to Rails loading sessions more than once per request.
+* 2016-feb-12 - v4.1.0
+  - Support Rails 5.0 & Rack 2.0
+* 2013-dec-14 - v4.0.1
+  - Fix deprecation warning
+* 2013-jun-15 - Support for Rails 4
+  - v4.0.0 - Rails 4 compatibility. Use v3.x.x for Rails 3 apps.
+  - For non-ActiveRecord session stores, no change is required from the
+    previous version.
+  - For ActiveRecord session stores, you must add the
+    'activerecord-session_store' gem to your Gemfile and it must be
+    above limited_sessions so that it will be auto-detected properly.
+    This is the only change required.
 * 2012-nov-14 - Merge changes from ejdraper
   - Lower Rack requirement to v1.2.5+ for Rails 3.0 compatibility

data/MIT-LICENSE CHANGED Viewed

@@ -1,4 +1,4 @@
-Copyright 2007-2012 t.e.morgan
+Copyright 2007-2021 t.e.morgan
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

data/README.md ADDED Viewed

@@ -0,0 +1,205 @@
+# LimitedSessions
+LimitedSessions provides two distinct features, each in a separate part:
+* Rack-compatible middleware that expires sessions based on inactivity or maximum session length. The middleware supports any session storage type, including cookies, Redis, ActiveRecord, etc.
+* Rails extension to the (now separate) ActiveRecord Session Store to auto-cleanup stale session records.
+## Features
+* For all session stores:
+  * Configurable session expiry time (eg: 2 hours from last page access)
+  * Optional hard maximum limit from beginning of session (eg: 24 hours)
+* When using the ActiveRecord Session Store:
+  * DB-based handling of session expiry (activity and hard limits) instead of by session paramters
+  * Auto-cleaning of expired session records
+## Requirements
+* Rack and any Rack-compatible app (including Rails)
+* Utilizing Rack's (or Rails') sessions
+* For ActiveRecord session enhancements:
+  * Must be using the standard ActiveRecord::SessionStore
+    (`ActionDispatch::Session::ActiveRecordStore.session_store = :active_record_store`)
+  * Ensure your sessions table has an `updated_at` column
+  * If using hard session limits, a `created_at` column is needed too
+## Compatibility
+The middleware should be compatible with any framework using a recent version of Rack. It has been tested with Rack 2.x and Rails 5.2-6.1.
+The optional ActiveRecord Session Store extension requires Rails.
+If using Rack < 2.0.9 or Rails < 5.2, use LimitedSessions 4.x.
+## Upgrading
+No changes are required to upgrade from LimitedSessions 4.x to 5.0.
+Upgrading `activerecord-session_store` from 1.x to 2.x may require changes. See its own upgrade instructions.
+## Installation
+Add this gem to your Gemfile or otherwise make it available to your app. Then, configure as required.
+```ruby
+gem 'limited_sessions', '~> 5'
+```
+If storing sessions in the DB using ActiveRecord with AR Session Store:
+```ruby
+gem 'activerecord-session_store'
+gem 'limited_sessions', '~> 5'
+```
+`activerecord-session_store` must be loaded first in order for `limited_sessions` to properly detect it.
+## Configuration
+### Rack Middleware with Rails
+1. Add/update `config/initializers/session_store.rb` and append the following:
+    ```ruby
+    config.middleware.insert_after ActionDispatch::Flash, LimitedSessions::Expiry, \
+      recent_activity: 2.hours, max_session: 24.hours
+    ```
+2. Configuration options.
+    The example above shows both configuration options. You may include one, both, or none.
+    #### Session activity timeout
+    Example: `recent_activity: 2.hours`
+    By default, the session activity timeout is disabled (`nil`).
+    #### Maximum session length
+    Example: `max_session: 24.hours`
+    By default, the maximum session length is disabled (`nil`).
+### Rack Middleware apart from Rails
+1. In `config.ru`, add the following *after* the middleware that handles your sessions.
+    ```ruby
+    use LimitedSessions::Expiry, recent_activity: 2.hours, max_session: 24.hours
+    ```
+2. For configuration options, see #2 above, under Rack Middleware with Rails.
+### ActionRecord Session Store extension
+1. If you don't already have an `updated_at` column on your sessions table, create a migration and add it. If you plan to use the hard session limit feature, you'll also need to add `created_at`.
+2. Tell Rails to use your the new session store. Change `config/initializers/session_store.rb` to reflect the following:
+    ```ruby
+    Rails.application.config.session_store :active_record_store
+    ActionDispatch::Session::ActiveRecordStore.session_class = LimitedSessions::SelfCleaningSession
+    ```
+3. Configuration options.
+    Each of the following options should also be added to your initializer file from step 2.
+    #### Self-cleaning
+    By default, SelfCleaningSession will clean the sessions table every 1000 page views. Technically, it's a 1 in 1000 chance on each page. For most sites this is good. Higher traffic sites may want to increase it to 10000 or more. Set to 0 to disable self-cleaning.
+    ```ruby
+    LimitedSessions::SelfCleaningSession.self_clean_sessions = 1000
+    ```
+    #### Session activity timeout
+    The default session activity timeout is 2 hours. This uses the `updated_at` column which will be updated on every page load.
+    This can also be disabled by setting to `nil`. However, the `updated_at` column is still required for self-cleaning and will effectively function as if set to `1.week`. If you really want it longer, set it to `1.year` or something.
+    ```ruby
+    LimitedSessions::SelfCleaningSession.recent_activity = 2.hours
+    ```
+    #### Maximum session length
+    By default, maximum session length handling is disabled. When enabled, it uses the `created_at` column to do its work.
+    A value of `nil` disables this feature and `created_at` does not need to exist in this case.
+    ```ruby
+    LimitedSessions::SelfCleaningSession.max_session = 12.hours
+    ```
+## Questions
+* Do I need both the middleware and the ActiveRecord Session Store?
+  No. While it should work, it is not necessary to use both the middleware
+  and the ActiveRecord Session Store. If you are storing sessions via AR,
+  then use the ActiveRecord Session Store. If you are storing sessions any
+  other way, then use the middleware.
+* I'm storing sessions in {Memcache, Redis, etc.} and they auto-expire sessions. Do I need this?
+  Maybe, maybe not. Normally, that auto-expire period is equivalent to LimitedSessions' :recent_activity. If that's all you want, then you don't need this. However, if you'd also like to put a maximum cap on session length, regardless of activity, then LimitedSessions' `:max_session` feature will still be useful.
+* Can I use the middleware with ActiveRecord instead of the ActionRecord Session Store enhancement?
+  Yes. Session expiry (recent activity and max session length) should work fine in this circumstance. The only thing you won't get is self-cleaning of the AR sessions table.
+* How are session expiry times tracked?
+  The middleware adds one or two keys to the session data: `:last_visit` and/or `:first_visit`.
+  The AR enhancement uses `updated_a`t and possibly `created_at`.
+* How is this different from using the session cookie's own expires= value?
+  The cookie's own value puts the trust in the client to self-expire. If you really want to control session lengths, then you need to manage the values on the application side. LimitedSessions is fully compatible with the cookie's expires= value, however, and the two can be used together.
+* What's the difference between `:recent_activity` and `:max_session`?
+  Recent activity requires regular access on your site. If it's set to 15 minutes, then a page must be loaded at least once every 15 minutes.
+  Max session is a cap on the session from the very beginning. If it's set to 12 hours, then even if a user is accessing the page constantly, and not triggering the recent activity timeout, after 12 hours their session would be reset anyway.
+* What are the security implications of using LimitedSessions?
+  LimitedSessions enhances security by reducing risk of session cookie replay attacks. The specifics will depend on what cookie store you're using.
+  For Rails' default cookie store, `:max_session` handling is perhaps most valuable as it guarantees an end to the session. Rails' default behavior allows a session to last for an infinite time. If a cookie is somehow exposed, the holder of the cookie has an open-ended session. Note that signing and/or encryption do not mitigate this.
+  For any session store that uses a server-side database (AR, memcache, Redis, etc.), at least the user can formally logout and terminate the session. Auto-expiring sessions (memcache, Redis, AR w/SelfCleaningSession, etc.) will also expire if allowed to, but can also be maintained perpetually by ongoing access.
+  Since the cookie store doesn't expire ever, `:recent_activity` addresses this by making sessions expire similarly to if memcache, Redis, or something similar was being used.
+  It is recommended to use both aspects of LimitedSessions for best security.
+* What are the performance implications of using LimitedSessions?
+  The middleware should have minimal impact.
+  The AR enhancement should result in an overall net gain in performance as the size of the AR sessions table will be kept to a smaller size. The 1 in 1000 hit (or whatever you've configured it to) may be slightly slower while the database cleanup is in progress.
+## Contributing
+1. Fork it ( https://github.com/zarqman/smart_assets/fork )
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request
+## License
+MIT

data/lib/limited_sessions.rb CHANGED Viewed

@@ -1,11 +1,7 @@
-# LimitedSessions
-# (c) 2007-2012 t.e.morgan
-# Made available under the MIT license
 module LimitedSessions
 end
 require 'limited_sessions/expiry'
-if defined? ActiveRecord
+if defined? ActiveRecord::SessionStore::Session
   require 'limited_sessions/self_cleaning_session'
 end

data/lib/limited_sessions/expiry.rb CHANGED Viewed

@@ -1,16 +1,9 @@
-# LimitedSessions
-# (c) 2007-2012 t.e.morgan
-# Made available under the MIT license
-# This version is compatible with Rack 1.4 (possibly earlier; untested).
-# Correspondingly, it is compatible with Rails 3.x.
 module LimitedSessions
   # Rack middleware that should be installed *after* the session handling middleware
   class Expiry
     DEFAULT_OPTIONS = {
-      :recent_activity => nil,  # eg: 2.hours
-      :max_session => nil       # eg: 24.hours
+      recent_activity: nil,  # eg: 2.hours
+      max_session: nil       # eg: 24.hours
     }
     def initialize(app, options={})

data/lib/limited_sessions/self_cleaning_session.rb CHANGED Viewed

@@ -1,14 +1,8 @@
-# LimitedSessions
-# (c) 2007-2012 t.e.morgan
-# Made available under the MIT license
-# This is the Rails 3.x version; it is /not/ compatible with Rails 2.x.
 module LimitedSessions
   class SelfCleaningSession < ActiveRecord::SessionStore::Session
     # disable short circuit by Dirty module; ensures :updated_at is kept updated
-    self.partial_updates = false
+    self.partial_writes = false
     self.table_name = 'sessions'
@@ -29,19 +23,21 @@ module LimitedSessions
       # If this is a problem, use a migration and rename the column.
       def find_by_session_id(session_id)
         consider_self_clean
-        active_session.current_session.where(:session_id=>session_id).first
+        active_session.current_session.where(session_id: session_id).first
       end
       private
       def consider_self_clean
         return if self_clean_sessions == 0
+        return if defined?(@@last_check) && @@last_check == Time.now.to_i
         if rand(self_clean_sessions) == 0
+          @@last_check = Time.now.to_i
           # logger.info "SelfCleaningSession :: scrubbing expired sessions"
           look_back_recent = recent_activity || 1.week
           if max_session
-            delete_all ['updated_at < ? OR created_at < ?', Time.current - look_back_recent, Time.current - max_session]
+            self.where('updated_at < ? OR created_at < ?', Time.current - look_back_recent, Time.current - max_session).delete_all
           elsif columns_hash['updated_at']
-            delete_all ['updated_at < ?', Time.current - look_back_recent]
+            self.where('updated_at < ?', Time.current - look_back_recent).delete_all
           else
             # logger.warning "WARNING: Unable to self-clean Sessions table; updated_at column is missing"
             self.self_clean_sessions = 0

data/lib/limited_sessions/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module LimitedSessions
-  VERSION = "3.0.2"
+  VERSION = '5.0.0'
 end

metadata CHANGED Viewed

@@ -1,94 +1,96 @@
 --- !ruby/object:Gem::Specification
 name: limited_sessions
 version: !ruby/object:Gem::Version
-  version: 3.0.2
-  prerelease:
+  version: 5.0.0
 platform: ruby
 authors:
 - t.e.morgan
-autorequire:
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2012-11-15 00:00:00.000000000 Z
+date: 2021-04-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 1.2.5
-    - - <
+        version: 2.0.9
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '3'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 1.2.5
-    - - <
+        version: 2.0.9
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '3'
 - !ruby/object:Gem::Dependency
   name: sqlite3
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: rails
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ~>
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 3.2.6
+        version: '5.2'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '6.2'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ~>
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '5.2'
+    - - "<"
       - !ruby/object:Gem::Version
-        version: 3.2.6
-description: ! 'LimitedSessions provides two core features to handle cookie-based
-  session expiry: 1) Rack Middleware for most session stores and 2) an ActiveRecord
-  extension for AR-based session stores. Sessions can be expired on inactivity and/or
-  overall session length.'
+        version: '6.2'
+description: 'LimitedSessions provides two core features to handle cookie-based session
+  expiry: 1) Rack Middleware for most session stores and 2) an ActiveRecord extension
+  for AR-based session stores. Sessions can be expired on inactivity and/or overall
+  session length.'
 email:
 - tm@iprog.com
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- CHANGELOG
+- MIT-LICENSE
+- README.md
+- Rakefile
+- lib/limited_sessions.rb
 - lib/limited_sessions/expiry.rb
 - lib/limited_sessions/self_cleaning_session.rb
 - lib/limited_sessions/version.rb
-- lib/limited_sessions.rb
 - lib/tasks/limited_sessions_tasks.rake
-- MIT-LICENSE
-- Rakefile
-- README
-- CHANGELOG
+- test/dummy/README.rdoc
+- test/dummy/Rakefile
 - test/dummy/app/assets/javascripts/application.js
 - test/dummy/app/assets/stylesheets/application.css
 - test/dummy/app/controllers/application_controller.rb
 - test/dummy/app/helpers/application_helper.rb
 - test/dummy/app/views/layouts/application.html.erb
+- test/dummy/config.ru
 - test/dummy/config/application.rb
 - test/dummy/config/boot.rb
 - test/dummy/config/database.yml
@@ -104,72 +106,65 @@ files:
 - test/dummy/config/initializers/wrap_parameters.rb
 - test/dummy/config/locales/en.yml
 - test/dummy/config/routes.rb
-- test/dummy/config.ru
-- test/dummy/db/test.sqlite3
 - test/dummy/log/test.log
 - test/dummy/public/404.html
 - test/dummy/public/422.html
 - test/dummy/public/500.html
 - test/dummy/public/favicon.ico
-- test/dummy/Rakefile
-- test/dummy/README.rdoc
 - test/dummy/script/rails
 - test/limited_sessions_test.rb
 - test/test_helper.rb
-homepage: http://iprog.com/projects#limited_sessions
+homepage: https://iprog.com/projects#limited_sessions
 licenses: []
-post_install_message:
+metadata: {}
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project:
-rubygems_version: 1.8.24
-signing_key:
-specification_version: 3
+rubygems_version: 3.0.9
+signing_key:
+specification_version: 4
 summary: Server-side session expiry via either Rack Middleware or ActiveRecord extension
 test_files:
+- test/dummy/app/controllers/application_controller.rb
+- test/dummy/app/views/layouts/application.html.erb
 - test/dummy/app/assets/javascripts/application.js
 - test/dummy/app/assets/stylesheets/application.css
-- test/dummy/app/controllers/application_controller.rb
 - test/dummy/app/helpers/application_helper.rb
-- test/dummy/app/views/layouts/application.html.erb
-- test/dummy/config/application.rb
-- test/dummy/config/boot.rb
-- test/dummy/config/database.yml
-- test/dummy/config/environment.rb
-- test/dummy/config/environments/development.rb
+- test/dummy/config/routes.rb
+- test/dummy/config/locales/en.yml
 - test/dummy/config/environments/production.rb
+- test/dummy/config/environments/development.rb
 - test/dummy/config/environments/test.rb
+- test/dummy/config/environment.rb
+- test/dummy/config/application.rb
+- test/dummy/config/database.yml
+- test/dummy/config/boot.rb
 - test/dummy/config/initializers/backtrace_silencers.rb
-- test/dummy/config/initializers/inflections.rb
 - test/dummy/config/initializers/mime_types.rb
-- test/dummy/config/initializers/secret_token.rb
 - test/dummy/config/initializers/session_store.rb
 - test/dummy/config/initializers/wrap_parameters.rb
-- test/dummy/config/locales/en.yml
-- test/dummy/config/routes.rb
+- test/dummy/config/initializers/secret_token.rb
+- test/dummy/config/initializers/inflections.rb
 - test/dummy/config.ru
-- test/dummy/db/test.sqlite3
-- test/dummy/log/test.log
-- test/dummy/public/404.html
+- test/dummy/script/rails
+- test/dummy/Rakefile
+- test/dummy/public/favicon.ico
 - test/dummy/public/422.html
 - test/dummy/public/500.html
-- test/dummy/public/favicon.ico
-- test/dummy/Rakefile
+- test/dummy/public/404.html
+- test/dummy/log/test.log
 - test/dummy/README.rdoc
-- test/dummy/script/rails
 - test/limited_sessions_test.rb
 - test/test_helper.rb

data/README DELETED Viewed

@@ -1,201 +0,0 @@
-LimitedSessions
-===============
-Copyright 2007-2012 t.e.morgan.
-License: MIT
-Updates/info: http://iprog.com/projects#limited_sessions
-Source: https://github.com/zarqman/limited_sessions
-Contact: tm@iprog.com
-LimitedSessions provides two distinct features, each in a separate part:
-  * Rack-compatible middleware that expires sessions based on inactivity or
-    maximum session length. This works with Rails 3 just fine.
-  * Rails 3 extension to the ActiveRecord Session Store to auto-cleanup stale
-    session records.
-Notes on Rails and Rack versions:
-  The middleware should be compatible with any framework using a recent
-  version of Rack. It was tested with Rack 1.4 and Rails 3.2.
-  The ActiveRecord Session Store extension requires Rails 3 (and was also
-  tested with Rails 3.2).
-  Versions compatible with Rails 2.3 and Rails 2.2/prior can be found at:
-  https://github.com/zarqman/limited_sessions/tree/v2.3 and
-  https://github.com/zarqman/limited_sessions/tree/v2.2
-Upgrading from previous versions:
-  Both initialization and configuration options have changed. See the
-  Configuration section below.
-  Note that all support for IP address restrictions has been removed. IPv4/IPv6
-  dual-stack environments have demonstrated a number of real-world issues,
-  namely user HTTP traffic bouncing between IPv4 and IPv6 resulting in chronic
-  session resets. Additionally, homes and offices increasingly have two or more
-  ISPs, not to mention mobile devices bouncing between WiFi and 3G/4G networks.
-  These scenarios also cause frequent IP address changes.
-Features:
-  * For all session stores:
-    * Configurable session expiry time (eg: 2 hours from last page access)
-    * Optional hard maximum limit from beginning of session (eg: 24 hours)
-  * When using the ActiveRecord Session Store:
-    * DB-based handling of session expiry (activity and hard limits) instead of
-      by session paramters
-    * Auto-cleaning of expired session records
-Requirements:
-  * Rack and possibly Rails 3
-  * Utilizing Rack's (or Rails') sessions support
-  * For ActiveRecord session enhancements:
-    * Must be using the standard ActiveRecord::SessionStore
-      (ActionController::Base.session_store = :active_record_store)
-    * Ensure your sessions table has an `updated_at` column
-    * If using hard session limits, a `created_at` column is needed too
-Installation:
-  Add this gem to your Gemfile (Rails) or otherwise make it available to your
-  app. Then, configure as required.
-  gem 'limited_sessions'
-Configuration:
-  Rack Middleware with Rails
-    1. To either your config/environments/production.rb or your
-       config/application.rb file (depending on if you want this to apply in
-       production only or also during development), add the following:
-       config.middleware.insert_after ActionDispatch::Flash, LimitedSessions::Expiry, \
-         :recent_activity=>2.hours, :max_session=>24.hours
-    2. Configuration options.
-       The example above shows both configuration options. You may include
-       both, one, or none.
-       * Session activity timeout *
-       Example: :recent_activity => 2.hours
-       By default, the session activity timeout is disabled (nil).
-       * Maximum session length *
-       Example: :max_session => 24.hours
-       By default, the maximum session length is disabled (nil).
-  Rack Middleware apart from Rails
-    1. In your config.ru, add the following *after* the middleware that handles
-       your sessions.
-       use LimitedSessions::Expiry, :recent_activity=>2.hours, :max_session=>24.hours
-    2. See #2 above, under Rack Middleware with Rails, for Configuration options.
-  ActionRecord Session Store
-    1. If you don't already have an 'updated_at' column on your sessions table,
-       create a migration and add it. If you plan to use the hard session limit
-       feature, you'll also need to add 'created_at'.
-    2. Tell Rails to use your the new session store. Change
-       config/initializers/session_store.rb to reflect the following:
-       <YourApp>::Application.config.session_store :active_record_store
-       ActiveRecord::SessionStore.session_class = LimitedSessions::SelfCleaningSession
-    3. Configuration options.
-       Each of the following options should also be added to your initializer
-       file from step 2.
-       * Self-cleaning *
-       By default, SelfCleaningSession will clean sessions out about every 1000
-       page views. Technically, it's a 1 in 1000 chance on each page. For most
-       sites this is good. Higher traffic sites may want to increase it to
-       10000 or more. 0 will disable self-cleaning.
-       LimitedSessions::SelfCleaningSession.self_clean_sessions = 1000
-       * Session activity timeout *
-       The default session activity timeout is 2 hours. This uses the
-       'updated_at' column which will be updated on every page load.
-       This can also be disabled by setting to nil. However, the 'updated_at'
-       column is still required for self-cleaning and will effectively function
-       as if this was set to 1.week. If you really want it longer, set it to
-       1.year or something.
-       LimitedSessions::SelfCleaningSession.recent_activity = 2.hours
-       * Maximum session length *
-       By default, the maximum session length handling is disabled. When
-       enabled, it uses the 'created_at' column to do its work.
-       A value of nil disables this feature and 'created_at' does not need to
-       exist in this case.
-       LimitedSessions::SelfCleaningSession.max_session = 12.hours
-Other questions:
-  Do I need both the middleware and the ActiveRecord Session Store?
-    No. While it should work, it is not necessary to use both the middleware
-    and the ActiveRecord Session Store. If you are storing sessions via AR,
-    then use the ActiveRecord Session Store. If you are storing sessions any
-    other way, then use the middleware.
-  I'm storing sessions in {Memcache, Redis, etc.} and they auto-expire
-  sessions. Do I need this?
-    Maybe, maybe not. Normally, that auto-expire period is equivalent to
-    LimitedSessions' :recent_activity. If that's all you want, then you don't
-    need this. However, if you'd also like to put a maximum cap on session
-    length, regardless of activity, then LimitedSessions' :max_session feature
-    will still be useful.
-  Can I use the middleware with ActiveRecord instead of the ActionRecord
-  Session Store enhancement?
-    Yes; session expiry (recent activity and max session length) should work
-    fine in this circumstance. The only thing you won't get is self-cleaning of
-    the AR sessions table.
-  How are session expiry times tracked?
-    The middleware adds one or two keys to the session data: :last_visit and/or
-    :first_visit.
-    The AR enhancement uses 'updated_at' and possibly 'created_at'.
-  How is this different from using the session cookie's own expires= value?
-    The cookie's own value puts the trust in the client to self-expire. If you
-    really want to control session lengths, then you need to manage the values
-    on the application side. LimitedSessions is fully compatible with the
-    cookie's expires= value, however, and the two can be used together.
-  What's the difference between :recent_activity and :max_session?
-    Recent activity requires regular access on your site. If it's set to 15
-    minutes, then a page must be loaded at least once every 15 minutes.
-    Max session is a cap on the session from the very beginning. If it's set to
-    12 hours, then even if a user is accessing the page constantly, and not
-    triggering the recent activity timeout, after 12 hours their session would
-    be reset anyway.
-  Is the AR enhancement compatible with the legacy 'sessid' column?
-    No. Please rename that column to 'session_id'.
-Other Notes:
-  I'm sure there are better ways to do some of what's here, but this seems to
-  work. This version has been tested on Rack 1.4, Rails 3.2, PostgreSQL 9.1,
-  and Redis 2.2 (via the redis and redis-session-store gems). Other databases
-  and session stores should work, but if you find a bug, I'd love to hear about
-  it. Likewise, give me a shout if you have a suggestion or just want to tell
-  me that it works. Thanks for checking limited_sessions out!
-      --t (tm@iprog.com; http://iprog.com/)

data/test/dummy/db/test.sqlite3 DELETED Viewed

File without changes