RubyGems - limited_sessions - Versions diffs - 4.1.0 → 5.0.1 - Mend

limited_sessions 4.1.0 → 5.0.1

Files changed (10) hide show

checksums.yaml +5 -5
data/CHANGELOG +16 -0
data/MIT-LICENSE +1 -1
data/README.md +205 -0
data/lib/limited_sessions/expiry.rb +2 -9
data/lib/limited_sessions/self_cleaning_session.rb +10 -10
data/lib/limited_sessions/version.rb +1 -1
data/lib/limited_sessions.rb +0 -4
metadata +21 -20
data/README +0 -229

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: a14e5b8ce5202da6e1452b2841774f4cdae0d57d
-  data.tar.gz: e075a3d2ce01c91352a926be7ec5b9952ccca9fb
+SHA256:
+  metadata.gz: e49ec43bc1c4f86c591c152081196467df00bf82949d2ec838506e6d2c71e033
+  data.tar.gz: 6d88ce0966c834298391d13493482b047394a75764342aa735c7703005eef181
 SHA512:
-  metadata.gz: c3b6973575a2129f8065448e7e9d96ee8dec26f8294d2c143d3c0d2af246d85c90e7909366f59a6dc1472c9912eaba79a79beca2fcabafeee589160888cb3c49
-  data.tar.gz: 71fb03540633023b30fe6bdcc53ac79143f66b25cab453fc57bf5f3c1ed1c32049c594bcf976d1d25eb028db7bde8be7a0afbfa76e77138ecd1ec21e8a0be35e
+  metadata.gz: f78ee40a5c1158c5aa886d23d670da59529d5f27d9fb5f64533a686bc5e362e6288a5db15a5ecdaafee5922f7f45ce030ca6d33729d5535ead5ca5fc69748798
+  data.tar.gz: 9da570b7fd00bebea9acb009e33657823d69b4e6ae855cf90907afe08bb9b06250429721fd078d7565e53b5ef1f645709507c4ad24e2bc0231b33b6d1f8d3e61

data/CHANGELOG CHANGED Viewed

@@ -1,3 +1,19 @@
+* 2022-aug-10 - v5.0.1
+  - Fix for deprecation warning in Rails 7
+* 2021-apr-20 - v5.0.0
+  - Drop support for Rack <= 2.0.8 and Rails < 5.2
+  - Update for new rubies
+  - Cleanup readme and comments
+* 2017-may-22 - v4.2.0
+  - Fixed ActiveRecord session cleanup on Rails 5.1
+  - Prevent ActiveRecord session cleanup from possibly running more often than
+    configured due to Rails loading sessions more than once per request.
 * 2016-feb-12 - v4.1.0
   - Support Rails 5.0 & Rack 2.0

data/MIT-LICENSE CHANGED Viewed

@@ -1,4 +1,4 @@
-Copyright 2007-2013 t.e.morgan
+Copyright 2007-2022 t.e.morgan
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

data/README.md ADDED Viewed

@@ -0,0 +1,205 @@
+# LimitedSessions
+LimitedSessions provides two distinct features, each in a separate part:
+* Rack-compatible middleware that expires sessions based on inactivity or maximum session length. The middleware supports any session storage type, including cookies, Redis, ActiveRecord, etc.
+* Rails extension to the (now separate) ActiveRecord Session Store to auto-cleanup stale session records.
+## Features
+* For all session stores:
+  * Configurable session expiry time (eg: 2 hours from last page access)
+  * Optional hard maximum limit from beginning of session (eg: 24 hours)
+* When using the ActiveRecord Session Store:
+  * DB-based handling of session expiry (activity and hard limits) instead of by session paramters
+  * Auto-cleaning of expired session records
+## Requirements
+* Rack and any Rack-compatible app (including Rails)
+* Utilizing Rack's (or Rails') sessions
+* For ActiveRecord session enhancements:
+  * Must be using the standard ActiveRecord::SessionStore
+    (`ActionDispatch::Session::ActiveRecordStore.session_store = :active_record_store`)
+  * Ensure your sessions table has an `updated_at` column
+  * If using hard session limits, a `created_at` column is needed too
+## Compatibility
+The middleware should be compatible with any framework using a recent version of Rack. It has been tested with Rack 2.x and Rails 5.2-7.0.
+The optional ActiveRecord Session Store extension requires Rails.
+If using Rack < 2.0.9 or Rails < 5.2, use LimitedSessions 4.x.
+## Upgrading
+No changes are required to upgrade from LimitedSessions 4.x to 5.0.
+Upgrading `activerecord-session_store` from 1.x to 2.x may require changes. See its own upgrade instructions.
+## Installation
+Add this gem to your Gemfile or otherwise make it available to your app. Then, configure as required.
+```ruby
+gem 'limited_sessions', '~> 5'
+```
+If storing sessions in the DB using ActiveRecord with AR Session Store:
+```ruby
+gem 'activerecord-session_store'
+gem 'limited_sessions', '~> 5'
+```
+`activerecord-session_store` must be loaded first in order for `limited_sessions` to properly detect it.
+## Configuration
+### Rack Middleware with Rails
+1. Add/update `config/initializers/session_store.rb` and append the following:
+    ```ruby
+    config.middleware.insert_after ActionDispatch::Flash, LimitedSessions::Expiry, \
+      recent_activity: 2.hours, max_session: 24.hours
+    ```
+2. Configuration options.
+    The example above shows both configuration options. You may include one, both, or none.
+    #### Session activity timeout
+    Example: `recent_activity: 2.hours`
+    By default, the session activity timeout is disabled (`nil`).
+    #### Maximum session length
+    Example: `max_session: 24.hours`
+    By default, the maximum session length is disabled (`nil`).
+### Rack Middleware apart from Rails
+1. In `config.ru`, add the following *after* the middleware that handles your sessions.
+    ```ruby
+    use LimitedSessions::Expiry, recent_activity: 2.hours, max_session: 24.hours
+    ```
+2. For configuration options, see #2 above, under Rack Middleware with Rails.
+### ActionRecord Session Store extension
+1. If you don't already have an `updated_at` column on your sessions table, create a migration and add it. If you plan to use the hard session limit feature, you'll also need to add `created_at`.
+2. Tell Rails to use your the new session store. Change `config/initializers/session_store.rb` to reflect the following:
+    ```ruby
+    Rails.application.config.session_store :active_record_store
+    ActionDispatch::Session::ActiveRecordStore.session_class = LimitedSessions::SelfCleaningSession
+    ```
+3. Configuration options.
+    Each of the following options should also be added to your initializer file from step 2.
+    #### Self-cleaning
+    By default, SelfCleaningSession will clean the sessions table every 1000 page views. Technically, it's a 1 in 1000 chance on each page. For most sites this is good. Higher traffic sites may want to increase it to 10000 or more. Set to 0 to disable self-cleaning.
+    ```ruby
+    LimitedSessions::SelfCleaningSession.self_clean_sessions = 1000
+    ```
+    #### Session activity timeout
+    The default session activity timeout is 2 hours. This uses the `updated_at` column which will be updated on every page load.
+    This can also be disabled by setting to `nil`. However, the `updated_at` column is still required for self-cleaning and will effectively function as if set to `1.week`. If you really want it longer, set it to `1.year` or something.
+    ```ruby
+    LimitedSessions::SelfCleaningSession.recent_activity = 2.hours
+    ```
+    #### Maximum session length
+    By default, maximum session length handling is disabled. When enabled, it uses the `created_at` column to do its work.
+    A value of `nil` disables this feature and `created_at` does not need to exist in this case.
+    ```ruby
+    LimitedSessions::SelfCleaningSession.max_session = 12.hours
+    ```
+## Questions
+* Do I need both the middleware and the ActiveRecord Session Store?
+  No. While it should work, it is not necessary to use both the middleware
+  and the ActiveRecord Session Store. If you are storing sessions via AR,
+  then use the ActiveRecord Session Store. If you are storing sessions any
+  other way, then use the middleware.
+* I'm storing sessions in {Memcache, Redis, etc.} and they auto-expire sessions. Do I need this?
+  Maybe, maybe not. Normally, that auto-expire period is equivalent to LimitedSessions' :recent_activity. If that's all you want, then you don't need this. However, if you'd also like to put a maximum cap on session length, regardless of activity, then LimitedSessions' `:max_session` feature will still be useful.
+* Can I use the middleware with ActiveRecord instead of the ActionRecord Session Store enhancement?
+  Yes. Session expiry (recent activity and max session length) should work fine in this circumstance. The only thing you won't get is self-cleaning of the AR sessions table.
+* How are session expiry times tracked?
+  The middleware adds one or two keys to the session data: `:last_visit` and/or `:first_visit`.
+  The AR enhancement uses `updated_at` and possibly `created_at`.
+* How is this different from using the session cookie's own expires= value?
+  The cookie's own value puts the trust in the client to self-expire. If you really want to control session lengths, then you need to manage the values on the application side. LimitedSessions is fully compatible with the cookie's expires= value, however, and the two can be used together.
+* What's the difference between `:recent_activity` and `:max_session`?
+  Recent activity requires regular access on your site. If it's set to 15 minutes, then a page must be loaded at least once every 15 minutes.
+  Max session is a cap on the session from the very beginning. If it's set to 12 hours, then even if a user is accessing the page constantly, and not triggering the recent activity timeout, after 12 hours their session would be reset anyway.
+* What are the security implications of using LimitedSessions?
+  LimitedSessions enhances security by reducing risk of session cookie replay attacks. The specifics will depend on what cookie store you're using.
+  For Rails' default cookie store, `:max_session` handling is perhaps most valuable as it guarantees an end to the session. Rails' default behavior allows a session to last for an infinite time. If a cookie is somehow exposed, the holder of the cookie has an open-ended session. Note that signing and/or encryption do not mitigate this.
+  For any session store that uses a server-side database (AR, memcache, Redis, etc.), at least the user can formally logout and terminate the session. Auto-expiring sessions (memcache, Redis, AR w/SelfCleaningSession, etc.) will also expire if allowed to, but can also be maintained perpetually by ongoing access.
+  Since the cookie store doesn't expire ever, `:recent_activity` addresses this by making sessions expire similarly to if memcache, Redis, or something similar was being used.
+  It is recommended to use both aspects of LimitedSessions for best security.
+* What are the performance implications of using LimitedSessions?
+  The middleware should have minimal impact.
+  The AR enhancement should result in an overall net gain in performance as the size of the AR sessions table will be kept to a smaller size. The 1 in 1000 hit (or whatever you've configured it to) may be slightly slower while the database cleanup is in progress.
+## Contributing
+1. Fork it ( https://github.com/zarqman/limited_sessions/fork )
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request
+## License
+MIT

data/lib/limited_sessions/expiry.rb CHANGED Viewed

@@ -1,16 +1,9 @@
-# LimitedSessions
-# (c) 2007-2013 t.e.morgan
-# Made available under the MIT license
-# This version is compatible with Rack 1.4-1.5 (possibly earlier; untested).
-# Correspondingly, it is compatible with Rails 3.x-4.x.
 module LimitedSessions
   # Rack middleware that should be installed *after* the session handling middleware
   class Expiry
     DEFAULT_OPTIONS = {
-      :recent_activity => nil,  # eg: 2.hours
-      :max_session => nil       # eg: 24.hours
+      recent_activity: nil,  # eg: 2.hours
+      max_session: nil       # eg: 24.hours
     }
     def initialize(app, options={})

data/lib/limited_sessions/self_cleaning_session.rb CHANGED Viewed

@@ -1,14 +1,12 @@
-# LimitedSessions
-# (c) 2007-2012 t.e.morgan
-# Made available under the MIT license
-# This is the Rails 4.x version.
 module LimitedSessions
   class SelfCleaningSession < ActiveRecord::SessionStore::Session
     # disable short circuit by Dirty module; ensures :updated_at is kept updated
-    self.partial_writes = false
+    if Rails::VERSION::MAJOR >= 7
+      self.partial_updates = false
+    else
+      self.partial_writes = false
+    end
     self.table_name = 'sessions'
@@ -29,19 +27,21 @@ module LimitedSessions
       # If this is a problem, use a migration and rename the column.
       def find_by_session_id(session_id)
         consider_self_clean
-        active_session.current_session.where(:session_id=>session_id).first
+        active_session.current_session.where(session_id: session_id).first
       end
       private
       def consider_self_clean
         return if self_clean_sessions == 0
+        return if defined?(@@last_check) && @@last_check == Time.now.to_i
         if rand(self_clean_sessions) == 0
+          @@last_check = Time.now.to_i
           # logger.info "SelfCleaningSession :: scrubbing expired sessions"
           look_back_recent = recent_activity || 1.week
           if max_session
-            delete_all ['updated_at < ? OR created_at < ?', Time.current - look_back_recent, Time.current - max_session]
+            self.where('updated_at < ? OR created_at < ?', Time.current - look_back_recent, Time.current - max_session).delete_all
           elsif columns_hash['updated_at']
-            delete_all ['updated_at < ?', Time.current - look_back_recent]
+            self.where('updated_at < ?', Time.current - look_back_recent).delete_all
           else
             # logger.warning "WARNING: Unable to self-clean Sessions table; updated_at column is missing"
             self.self_clean_sessions = 0

data/lib/limited_sessions/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module LimitedSessions
-  VERSION = '4.1.0'
+  VERSION = '5.0.1'
 end

data/lib/limited_sessions.rb CHANGED Viewed

@@ -1,7 +1,3 @@
-# LimitedSessions
-# (c) 2007-2013 t.e.morgan
-# Made available under the MIT license
 module LimitedSessions
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: limited_sessions
 version: !ruby/object:Gem::Version
-  version: 4.1.0
+  version: 5.0.1
 platform: ruby
 authors:
 - t.e.morgan
-autorequire:
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2016-02-13 00:00:00.000000000 Z
+date: 2022-08-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -16,7 +16,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.2.5
+        version: 2.0.9
     - - "<"
       - !ruby/object:Gem::Version
         version: '3'
@@ -26,7 +26,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.2.5
+        version: 2.0.9
     - - "<"
       - !ruby/object:Gem::Version
         version: '3'
@@ -50,24 +50,24 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '4.0'
+        version: '5.2'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '5.1'
+        version: '7.1'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '4.0'
+        version: '5.2'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '5.1'
+        version: '7.1'
 description: 'LimitedSessions provides two core features to handle cookie-based session
   expiry: 1) Rack Middleware for most session stores and 2) an ActiveRecord extension
   for AR-based session stores. Sessions can be expired on inactivity and/or overall
-  session length.'
+  session length. Works with and without Rails.'
 email:
 - tm@iprog.com
 executables: []
@@ -76,7 +76,7 @@ extra_rdoc_files: []
 files:
 - CHANGELOG
 - MIT-LICENSE
-- README
+- README.md
 - Rakefile
 - lib/limited_sessions.rb
 - lib/limited_sessions/expiry.rb
@@ -114,10 +114,12 @@ files:
 - test/dummy/script/rails
 - test/limited_sessions_test.rb
 - test/test_helper.rb
-homepage: http://iprog.com/projects#limited_sessions
-licenses: []
-metadata: {}
-post_install_message:
+homepage: https://iprog.com/projects#limited_sessions
+licenses:
+- MIT
+metadata:
+  source_code_uri: https://github.com/zarqman/limited_sessions
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -132,12 +134,13 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project:
-rubygems_version: 2.4.8
-signing_key:
+rubygems_version: 3.2.32
+signing_key:
 specification_version: 4
 summary: Server-side session expiry via either Rack Middleware or ActiveRecord extension
 test_files:
+- test/dummy/README.rdoc
+- test/dummy/Rakefile
 - test/dummy/app/assets/javascripts/application.js
 - test/dummy/app/assets/stylesheets/application.css
 - test/dummy/app/controllers/application_controller.rb
@@ -164,8 +167,6 @@ test_files:
 - test/dummy/public/422.html
 - test/dummy/public/500.html
 - test/dummy/public/favicon.ico
-- test/dummy/Rakefile
-- test/dummy/README.rdoc
 - test/dummy/script/rails
 - test/limited_sessions_test.rb
 - test/test_helper.rb

data/README DELETED Viewed

@@ -1,229 +0,0 @@
-LimitedSessions
-===============
-Copyright 2007-2013 t.e.morgan.
-License: MIT
-Updates/info: http://iprog.com/projects#limited_sessions
-Source: https://github.com/zarqman/limited_sessions
-Contact: tm@iprog.com
-LimitedSessions provides two distinct features, each in a separate part:
-  * Rack-compatible middleware that expires sessions based on inactivity or
-    maximum session length. This works with Rails 4 just fine.
-  * Rails 4 extension to the (now separate) ActiveRecord Session Store to
-    auto-cleanup stale session records.
-Notes on Rails and Rack versions:
-  The middleware should be compatible with any framework using a recent
-  version of Rack. It was tested with Rack 1.5 and Rails 4.0.
-  The ActiveRecord Session Store extension requires Rails 4 and the now
-  separate activerecord-session_store gem:
-    gem 'activerecord-session_store'
-  activerecord-session_store must be *before* limited_sessions in your Gemfile
-  in order for limited_sessions to auto-detect it.
-  For Rails 3, use limited_sessions v3.x.x:
-    gem 'limited_sessions', '~> 3.0'
-Upgrading from previous versions:
-  Other than possibly requiring the activerecord-session_store gem as noted
-  above, no changes are required upgrading from limited_sessions 3.x to 4.0.
-  If upgrading from limited_sessions v2.x, please review the upgrade notes from
-  limited_sessions 3.x or build a new configuration using the instructions
-  below.
-Features:
-  * For all session stores:
-    * Configurable session expiry time (eg: 2 hours from last page access)
-    * Optional hard maximum limit from beginning of session (eg: 24 hours)
-  * When using the ActiveRecord Session Store:
-    * DB-based handling of session expiry (activity and hard limits) instead of
-      by session paramters
-    * Auto-cleaning of expired session records
-Requirements:
-  * Rack and any Rack-compatible app (including Rails 4)
-  * Utilizing Rack's (or Rails') sessions support
-  * For ActiveRecord session enhancements:
-    * Must be using the standard ActiveRecord::SessionStore
-      (ActionDispatch::Session::ActiveRecordStore.session_store = :active_record_store)
-    * Ensure your sessions table has an `updated_at` column
-    * If using hard session limits, a `created_at` column is needed too
-Installation:
-  Add this gem to your Gemfile (Rails) or otherwise make it available to your
-  app. Then, configure as required.
-  gem 'limited_sessions', '~> 4.0'
-Configuration:
-  Rack Middleware with Rails
-    1. Update your config/initializers/session_store.rb and append the
-       following:
-       config.middleware.insert_after ActionDispatch::Flash, LimitedSessions::Expiry, \
-         recent_activity: 2.hours, max_session: 24.hours
-    2. Configuration options.
-       The example above shows both configuration options. You may include
-       both, one, or none.
-       * Session activity timeout *
-       Example: recent_activity: 2.hours
-       By default, the session activity timeout is disabled (nil).
-       * Maximum session length *
-       Example: max_session: 24.hours
-       By default, the maximum session length is disabled (nil).
-  Rack Middleware apart from Rails
-    1. In your config.ru, add the following *after* the middleware that handles
-       your sessions.
-       use LimitedSessions::Expiry, recent_activity: 2.hours, max_session: 24.hours
-    2. See #2 above, under Rack Middleware with Rails, for Configuration options.
-  ActionRecord Session Store
-    1. If you don't already have an 'updated_at' column on your sessions table,
-       create a migration and add it. If you plan to use the hard session limit
-       feature, you'll also need to add 'created_at'.
-    2. Tell Rails to use your the new session store. Change
-       config/initializers/session_store.rb to reflect the following:
-       <YourApp>::Application.config.session_store :active_record_store
-       ActionDispatch::Session::ActiveRecordStore.session_class = LimitedSessions::SelfCleaningSession
-    3. Configuration options.
-       Each of the following options should also be added to your initializer
-       file from step 2.
-       * Self-cleaning *
-       By default, SelfCleaningSession will clean the sessions table about every
-       1000 page views. Technically, it's a 1 in 1000 chance on each page. For
-       most sites this is good. Higher traffic sites may want to increase it to
-       10000 or more. 0 will disable self-cleaning.
-       LimitedSessions::SelfCleaningSession.self_clean_sessions = 1000
-       * Session activity timeout *
-       The default session activity timeout is 2 hours. This uses the
-       'updated_at' column which will be updated on every page load.
-       This can also be disabled by setting to nil. However, the 'updated_at'
-       column is still required for self-cleaning and will effectively function
-       as if this was set to 1.week. If you really want it longer, set it to
-       1.year or something.
-       LimitedSessions::SelfCleaningSession.recent_activity = 2.hours
-       * Maximum session length *
-       By default, the maximum session length handling is disabled. When
-       enabled, it uses the 'created_at' column to do its work.
-       A value of nil disables this feature and 'created_at' does not need to
-       exist in this case.
-       LimitedSessions::SelfCleaningSession.max_session = 12.hours
-Other questions:
-  Do I need both the middleware and the ActiveRecord Session Store?
-    No. While it should work, it is not necessary to use both the middleware
-    and the ActiveRecord Session Store. If you are storing sessions via AR,
-    then use the ActiveRecord Session Store. If you are storing sessions any
-    other way, then use the middleware.
-  I'm storing sessions in {Memcache, Redis, etc.} and they auto-expire
-  sessions. Do I need this?
-    Maybe, maybe not. Normally, that auto-expire period is equivalent to
-    LimitedSessions' :recent_activity. If that's all you want, then you don't
-    need this. However, if you'd also like to put a maximum cap on session
-    length, regardless of activity, then LimitedSessions' :max_session feature
-    will still be useful.
-  Can I use the middleware with ActiveRecord instead of the ActionRecord
-  Session Store enhancement?
-    Yes; session expiry (recent activity and max session length) should work
-    fine in this circumstance. The only thing you won't get is self-cleaning of
-    the AR sessions table.
-  How are session expiry times tracked?
-    The middleware adds one or two keys to the session data: :last_visit and/or
-    :first_visit.
-    The AR enhancement uses 'updated_at' and possibly 'created_at'.
-  How is this different from using the session cookie's own expires= value?
-    The cookie's own value puts the trust in the client to self-expire. If you
-    really want to control session lengths, then you need to manage the values
-    on the application side. LimitedSessions is fully compatible with the
-    cookie's expires= value, however, and the two can be used together.
-  What's the difference between :recent_activity and :max_session?
-    Recent activity requires regular access on your site. If it's set to 15
-    minutes, then a page must be loaded at least once every 15 minutes.
-    Max session is a cap on the session from the very beginning. If it's set to
-    12 hours, then even if a user is accessing the page constantly, and not
-    triggering the recent activity timeout, after 12 hours their session would
-    be reset anyway.
-  What are the security implications of using LimitedSessions?
-    LimitedSessions enhances security by reducing risk of session cookie replay
-    attacks. The specifics will depend on what cookie store you're using.
-    For Rails' default cookie store, :max_session handling is perhaps most
-    valuable as it guarantees an end to the session. Rails' default behavior
-    allows a session to last for an infinite time. If a cookie is somehow
-    exposed, the holder of the cookie has an open-ended session. Note that
-    signing and/or encryption do not mitigate this.
-    For any session store that uses a server-side database (AR, memcache, Redis,
-    etc.), at least the user can formally logout and terminate the session.
-    Auto-expiring sessions (memcache, Redis, AR w/SelfCleaningSession, etc.)
-    will also expire if allowed to, but can also be maintained perpetually by
-    ongoing access.
-    Since the cookie store doesn't expire ever, :recent_activity addresses this
-    by making sessions expire similarly to if memcache, Redis, or something
-    similar was being used.
-    It is recommended to use both halves of LimitedSessions for best security.
-  What are the performance implications of using LimitedSessions?
-    The middleware should have minimal impact.
-    The AR enhancement should result in an overall net gain in performance as
-    the size of the AR sessions table will be kept to a smaller size. The 1 in
-    1000 hit (or whatever you've configured it to) may be slightly slower while
-    the database cleanup is in progress.
-  Is the AR enhancement compatible with the legacy 'sessid' column?
-    No. Please rename that column to 'session_id'.
-Other Notes:
-  This version has been tested on Rack 1.5 and Rails 4.0. It should be
-  compatible with a broad spectrum of data and session stores. If you find a
-  bug, I'd love to hear about it -- preferably via a new issue on GitHub (bonus
-  points for a pull request). Likewise, give me a shout if you have a suggestion
-  or just want to tell me that it works. Thanks for checking limited_sessions
-  out!
-      --t (tm@iprog.com; http://iprog.com/)