RubyGems - limited_sessions - Versions diffs - 4.2.0 → 5.0.0 - Mend

limited_sessions 4.2.0 → 5.0.0

Files changed (10) hide show

checksums.yaml +5 -5
data/CHANGELOG +6 -0
data/MIT-LICENSE +1 -1
data/README.md +205 -0
data/lib/limited_sessions.rb +0 -4
data/lib/limited_sessions/expiry.rb +2 -9
data/lib/limited_sessions/self_cleaning_session.rb +1 -7
data/lib/limited_sessions/version.rb +1 -1
metadata +29 -30
data/README +0 -232

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 72435a434d8e6fb836b3aa85fb4d53d5e09032ad
-  data.tar.gz: 8344fca106d43399d81d71aeb30d2b1fbf4c450a
+SHA256:
+  metadata.gz: 372dbf49775aefdb7902b765bc5727c9506f6df46251d890e5a31e957ba70962
+  data.tar.gz: d2d4e1684ec8f9b183a5cdf3d4722e73d8ac8bd7d1b656b41c3fd0f3d2ed6a62
 SHA512:
-  metadata.gz: 353a235142ff978cf4fae93899d3d64af32dec47fbdef58e7045d47dc7842c9a51b1dfa2f1e2b5407ee309efa0bf6bc535dd45aeb91457b07f04955d3346a7b5
-  data.tar.gz: b7aefc332194cc4176ed4322325d20ba41715de602f5e28e3f43a020e69307770e3160359ea1545e86fb2a4b95c759bb7f14b56a8cda8d3b4a867f3b0ce2e433
+  metadata.gz: 92285992bce470310c88b656caf2a62d26bfa9315656d13bab944e44241743eb1a7bb86d912f837a13328be682a402c021d89552124577ce26e6212d84c1dba6
+  data.tar.gz: 176aea0865080e0399d2cd5f17cd3a04bb3daeccc06e5be982ed4c422bbeee6b2c1b47aaa73d7ff3a514468dcda0a39adee855916d955ecb48ec43b39b098425

data/CHANGELOG CHANGED Viewed

@@ -1,3 +1,9 @@
+* 2021-apr-20 - v5.0.0
+  - Drop support for Rack <= 2.0.8 and Rails < 5.2
+  - Update for new rubies
+  - Cleanup readme and comments
 * 2017-may-22 - v4.2.0
   - Fixed ActiveRecord session cleanup on Rails 5.1

data/MIT-LICENSE CHANGED Viewed

@@ -1,4 +1,4 @@
-Copyright 2007-2013 t.e.morgan
+Copyright 2007-2021 t.e.morgan
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

data/README.md ADDED Viewed

@@ -0,0 +1,205 @@
+# LimitedSessions
+LimitedSessions provides two distinct features, each in a separate part:
+* Rack-compatible middleware that expires sessions based on inactivity or maximum session length. The middleware supports any session storage type, including cookies, Redis, ActiveRecord, etc.
+* Rails extension to the (now separate) ActiveRecord Session Store to auto-cleanup stale session records.
+## Features
+* For all session stores:
+  * Configurable session expiry time (eg: 2 hours from last page access)
+  * Optional hard maximum limit from beginning of session (eg: 24 hours)
+* When using the ActiveRecord Session Store:
+  * DB-based handling of session expiry (activity and hard limits) instead of by session paramters
+  * Auto-cleaning of expired session records
+## Requirements
+* Rack and any Rack-compatible app (including Rails)
+* Utilizing Rack's (or Rails') sessions
+* For ActiveRecord session enhancements:
+  * Must be using the standard ActiveRecord::SessionStore
+    (`ActionDispatch::Session::ActiveRecordStore.session_store = :active_record_store`)
+  * Ensure your sessions table has an `updated_at` column
+  * If using hard session limits, a `created_at` column is needed too
+## Compatibility
+The middleware should be compatible with any framework using a recent version of Rack. It has been tested with Rack 2.x and Rails 5.2-6.1.
+The optional ActiveRecord Session Store extension requires Rails.
+If using Rack < 2.0.9 or Rails < 5.2, use LimitedSessions 4.x.
+## Upgrading
+No changes are required to upgrade from LimitedSessions 4.x to 5.0.
+Upgrading `activerecord-session_store` from 1.x to 2.x may require changes. See its own upgrade instructions.
+## Installation
+Add this gem to your Gemfile or otherwise make it available to your app. Then, configure as required.
+```ruby
+gem 'limited_sessions', '~> 5'
+```
+If storing sessions in the DB using ActiveRecord with AR Session Store:
+```ruby
+gem 'activerecord-session_store'
+gem 'limited_sessions', '~> 5'
+```
+`activerecord-session_store` must be loaded first in order for `limited_sessions` to properly detect it.
+## Configuration
+### Rack Middleware with Rails
+1. Add/update `config/initializers/session_store.rb` and append the following:
+    ```ruby
+    config.middleware.insert_after ActionDispatch::Flash, LimitedSessions::Expiry, \
+      recent_activity: 2.hours, max_session: 24.hours
+    ```
+2. Configuration options.
+    The example above shows both configuration options. You may include one, both, or none.
+    #### Session activity timeout
+    Example: `recent_activity: 2.hours`
+    By default, the session activity timeout is disabled (`nil`).
+    #### Maximum session length
+    Example: `max_session: 24.hours`
+    By default, the maximum session length is disabled (`nil`).
+### Rack Middleware apart from Rails
+1. In `config.ru`, add the following *after* the middleware that handles your sessions.
+    ```ruby
+    use LimitedSessions::Expiry, recent_activity: 2.hours, max_session: 24.hours
+    ```
+2. For configuration options, see #2 above, under Rack Middleware with Rails.
+### ActionRecord Session Store extension
+1. If you don't already have an `updated_at` column on your sessions table, create a migration and add it. If you plan to use the hard session limit feature, you'll also need to add `created_at`.
+2. Tell Rails to use your the new session store. Change `config/initializers/session_store.rb` to reflect the following:
+    ```ruby
+    Rails.application.config.session_store :active_record_store
+    ActionDispatch::Session::ActiveRecordStore.session_class = LimitedSessions::SelfCleaningSession
+    ```
+3. Configuration options.
+    Each of the following options should also be added to your initializer file from step 2.
+    #### Self-cleaning
+    By default, SelfCleaningSession will clean the sessions table every 1000 page views. Technically, it's a 1 in 1000 chance on each page. For most sites this is good. Higher traffic sites may want to increase it to 10000 or more. Set to 0 to disable self-cleaning.
+    ```ruby
+    LimitedSessions::SelfCleaningSession.self_clean_sessions = 1000
+    ```
+    #### Session activity timeout
+    The default session activity timeout is 2 hours. This uses the `updated_at` column which will be updated on every page load.
+    This can also be disabled by setting to `nil`. However, the `updated_at` column is still required for self-cleaning and will effectively function as if set to `1.week`. If you really want it longer, set it to `1.year` or something.
+    ```ruby
+    LimitedSessions::SelfCleaningSession.recent_activity = 2.hours
+    ```
+    #### Maximum session length
+    By default, maximum session length handling is disabled. When enabled, it uses the `created_at` column to do its work.
+    A value of `nil` disables this feature and `created_at` does not need to exist in this case.
+    ```ruby
+    LimitedSessions::SelfCleaningSession.max_session = 12.hours
+    ```
+## Questions
+* Do I need both the middleware and the ActiveRecord Session Store?
+  No. While it should work, it is not necessary to use both the middleware
+  and the ActiveRecord Session Store. If you are storing sessions via AR,
+  then use the ActiveRecord Session Store. If you are storing sessions any
+  other way, then use the middleware.
+* I'm storing sessions in {Memcache, Redis, etc.} and they auto-expire sessions. Do I need this?
+  Maybe, maybe not. Normally, that auto-expire period is equivalent to LimitedSessions' :recent_activity. If that's all you want, then you don't need this. However, if you'd also like to put a maximum cap on session length, regardless of activity, then LimitedSessions' `:max_session` feature will still be useful.
+* Can I use the middleware with ActiveRecord instead of the ActionRecord Session Store enhancement?
+  Yes. Session expiry (recent activity and max session length) should work fine in this circumstance. The only thing you won't get is self-cleaning of the AR sessions table.
+* How are session expiry times tracked?
+  The middleware adds one or two keys to the session data: `:last_visit` and/or `:first_visit`.
+  The AR enhancement uses `updated_a`t and possibly `created_at`.
+* How is this different from using the session cookie's own expires= value?
+  The cookie's own value puts the trust in the client to self-expire. If you really want to control session lengths, then you need to manage the values on the application side. LimitedSessions is fully compatible with the cookie's expires= value, however, and the two can be used together.
+* What's the difference between `:recent_activity` and `:max_session`?
+  Recent activity requires regular access on your site. If it's set to 15 minutes, then a page must be loaded at least once every 15 minutes.
+  Max session is a cap on the session from the very beginning. If it's set to 12 hours, then even if a user is accessing the page constantly, and not triggering the recent activity timeout, after 12 hours their session would be reset anyway.
+* What are the security implications of using LimitedSessions?
+  LimitedSessions enhances security by reducing risk of session cookie replay attacks. The specifics will depend on what cookie store you're using.
+  For Rails' default cookie store, `:max_session` handling is perhaps most valuable as it guarantees an end to the session. Rails' default behavior allows a session to last for an infinite time. If a cookie is somehow exposed, the holder of the cookie has an open-ended session. Note that signing and/or encryption do not mitigate this.
+  For any session store that uses a server-side database (AR, memcache, Redis, etc.), at least the user can formally logout and terminate the session. Auto-expiring sessions (memcache, Redis, AR w/SelfCleaningSession, etc.) will also expire if allowed to, but can also be maintained perpetually by ongoing access.
+  Since the cookie store doesn't expire ever, `:recent_activity` addresses this by making sessions expire similarly to if memcache, Redis, or something similar was being used.
+  It is recommended to use both aspects of LimitedSessions for best security.
+* What are the performance implications of using LimitedSessions?
+  The middleware should have minimal impact.
+  The AR enhancement should result in an overall net gain in performance as the size of the AR sessions table will be kept to a smaller size. The 1 in 1000 hit (or whatever you've configured it to) may be slightly slower while the database cleanup is in progress.
+## Contributing
+1. Fork it ( https://github.com/zarqman/smart_assets/fork )
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request
+## License
+MIT

data/lib/limited_sessions.rb CHANGED Viewed

@@ -1,7 +1,3 @@
-# LimitedSessions
-# (c) 2007-2013 t.e.morgan
-# Made available under the MIT license
 module LimitedSessions
 end

data/lib/limited_sessions/expiry.rb CHANGED Viewed

@@ -1,16 +1,9 @@
-# LimitedSessions
-# (c) 2007-2017 t.e.morgan
-# Made available under the MIT license
-# This version is compatible with Rack 1.4-2.0 (possibly earlier; untested).
-# Correspondingly, it is compatible with Rails 3.x-5.x.
 module LimitedSessions
   # Rack middleware that should be installed *after* the session handling middleware
   class Expiry
     DEFAULT_OPTIONS = {
-      :recent_activity => nil,  # eg: 2.hours
-      :max_session => nil       # eg: 24.hours
+      recent_activity: nil,  # eg: 2.hours
+      max_session: nil       # eg: 24.hours
     }
     def initialize(app, options={})

data/lib/limited_sessions/self_cleaning_session.rb CHANGED Viewed

@@ -1,9 +1,3 @@
-# LimitedSessions
-# (c) 2007-2017 t.e.morgan
-# Made available under the MIT license
-# This is the Rails 4-5.x version.
 module LimitedSessions
   class SelfCleaningSession < ActiveRecord::SessionStore::Session
@@ -29,7 +23,7 @@ module LimitedSessions
       # If this is a problem, use a migration and rename the column.
       def find_by_session_id(session_id)
         consider_self_clean
-        active_session.current_session.where(:session_id=>session_id).first
+        active_session.current_session.where(session_id: session_id).first
       end
       private

data/lib/limited_sessions/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module LimitedSessions
-  VERSION = '4.2.0'
+  VERSION = '5.0.0'
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: limited_sessions
 version: !ruby/object:Gem::Version
-  version: 4.2.0
+  version: 5.0.0
 platform: ruby
 authors:
 - t.e.morgan
-autorequire:
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2017-05-23 00:00:00.000000000 Z
+date: 2021-04-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -16,7 +16,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.2.5
+        version: 2.0.9
     - - "<"
       - !ruby/object:Gem::Version
         version: '3'
@@ -26,7 +26,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.2.5
+        version: 2.0.9
     - - "<"
       - !ruby/object:Gem::Version
         version: '3'
@@ -50,20 +50,20 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '4.0'
+        version: '5.2'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '5.2'
+        version: '6.2'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '4.0'
+        version: '5.2'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '5.2'
+        version: '6.2'
 description: 'LimitedSessions provides two core features to handle cookie-based session
   expiry: 1) Rack Middleware for most session stores and 2) an ActiveRecord extension
   for AR-based session stores. Sessions can be expired on inactivity and/or overall
@@ -76,7 +76,7 @@ extra_rdoc_files: []
 files:
 - CHANGELOG
 - MIT-LICENSE
-- README
+- README.md
 - Rakefile
 - lib/limited_sessions.rb
 - lib/limited_sessions/expiry.rb
@@ -117,7 +117,7 @@ files:
 homepage: https://iprog.com/projects#limited_sessions
 licenses: []
 metadata: {}
-post_install_message:
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -132,40 +132,39 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project:
-rubygems_version: 2.6.12
-signing_key:
+rubygems_version: 3.0.9
+signing_key:
 specification_version: 4
 summary: Server-side session expiry via either Rack Middleware or ActiveRecord extension
 test_files:
+- test/dummy/app/controllers/application_controller.rb
+- test/dummy/app/views/layouts/application.html.erb
 - test/dummy/app/assets/javascripts/application.js
 - test/dummy/app/assets/stylesheets/application.css
-- test/dummy/app/controllers/application_controller.rb
 - test/dummy/app/helpers/application_helper.rb
-- test/dummy/app/views/layouts/application.html.erb
-- test/dummy/config/application.rb
-- test/dummy/config/boot.rb
-- test/dummy/config/database.yml
-- test/dummy/config/environment.rb
-- test/dummy/config/environments/development.rb
+- test/dummy/config/routes.rb
+- test/dummy/config/locales/en.yml
 - test/dummy/config/environments/production.rb
+- test/dummy/config/environments/development.rb
 - test/dummy/config/environments/test.rb
+- test/dummy/config/environment.rb
+- test/dummy/config/application.rb
+- test/dummy/config/database.yml
+- test/dummy/config/boot.rb
 - test/dummy/config/initializers/backtrace_silencers.rb
-- test/dummy/config/initializers/inflections.rb
 - test/dummy/config/initializers/mime_types.rb
-- test/dummy/config/initializers/secret_token.rb
 - test/dummy/config/initializers/session_store.rb
 - test/dummy/config/initializers/wrap_parameters.rb
-- test/dummy/config/locales/en.yml
-- test/dummy/config/routes.rb
+- test/dummy/config/initializers/secret_token.rb
+- test/dummy/config/initializers/inflections.rb
 - test/dummy/config.ru
-- test/dummy/log/test.log
-- test/dummy/public/404.html
+- test/dummy/script/rails
+- test/dummy/Rakefile
+- test/dummy/public/favicon.ico
 - test/dummy/public/422.html
 - test/dummy/public/500.html
-- test/dummy/public/favicon.ico
-- test/dummy/Rakefile
+- test/dummy/public/404.html
+- test/dummy/log/test.log
 - test/dummy/README.rdoc
-- test/dummy/script/rails
 - test/limited_sessions_test.rb
 - test/test_helper.rb

data/README DELETED Viewed

@@ -1,232 +0,0 @@
-LimitedSessions
-===============
-Copyright 2007-2017 t.e.morgan.
-License: MIT
-Updates/info: http://iprog.com/projects#limited_sessions
-Source: https://github.com/zarqman/limited_sessions
-Contact: tm@iprog.com
-LimitedSessions provides two distinct features, each in a separate part:
-  * Rack-compatible middleware that expires sessions based on inactivity or
-    maximum session length. The middleware supports any session storage type,
-    including cookies, Redis, ActiveRecord, etc.
-  * Rails 4+ extension to the (now separate) ActiveRecord Session Store to
-    auto-cleanup stale session records.
-Notes on Rails and Rack versions:
-  The middleware should be compatible with any framework using a recent
-  version of Rack. It was tested with Rack 1.5 on Rails 4.2 and Rack 2.0 on
-  Rails 5.0 and 5.1.
-  The ActiveRecord Session Store extension requires Rails 4+ and the now
-  separate activerecord-session_store gem:
-    gem 'activerecord-session_store'
-  activerecord-session_store must be *before* limited_sessions in your Gemfile
-  in order for limited_sessions to auto-detect it.
-  The extension has been tested with the following combinations:
-  * Rails 4.2 + activerecord-session_store 0.1.2
-  * Rails 5.0 + activerecord-session_store 1.0.0
-  * Rails 5.1 + activerecord-session_store 1.1.0
-Upgrading from previous versions:
-  Other than possibly requiring the activerecord-session_store gem as noted
-  above, no changes are required upgrading from limited_sessions 3.x to 4.0.
-  If upgrading from limited_sessions v2.x, please review the upgrade notes from
-  limited_sessions 3.x or build a new configuration using the instructions
-  below.
-Features:
-  * For all session stores:
-    * Configurable session expiry time (eg: 2 hours from last page access)
-    * Optional hard maximum limit from beginning of session (eg: 24 hours)
-  * When using the ActiveRecord Session Store:
-    * DB-based handling of session expiry (activity and hard limits) instead of
-      by session paramters
-    * Auto-cleaning of expired session records
-Requirements:
-  * Rack and any Rack-compatible app (including Rails 4 or 5)
-  * Utilizing Rack's (or Rails') sessions support
-  * For ActiveRecord session enhancements:
-    * Must be using the standard ActiveRecord::SessionStore
-      (ActionDispatch::Session::ActiveRecordStore.session_store = :active_record_store)
-    * Ensure your sessions table has an `updated_at` column
-    * If using hard session limits, a `created_at` column is needed too
-Installation:
-  Add this gem to your Gemfile (Rails) or otherwise make it available to your
-  app. Then, configure as required.
-  gem 'limited_sessions', '~> 4.0'
-Configuration:
-  Rack Middleware with Rails
-    1. Update your config/initializers/session_store.rb and append the
-       following:
-       config.middleware.insert_after ActionDispatch::Flash, LimitedSessions::Expiry, \
-         recent_activity: 2.hours, max_session: 24.hours
-    2. Configuration options.
-       The example above shows both configuration options. You may include
-       both, one, or none.
-       * Session activity timeout *
-       Example: recent_activity: 2.hours
-       By default, the session activity timeout is disabled (nil).
-       * Maximum session length *
-       Example: max_session: 24.hours
-       By default, the maximum session length is disabled (nil).
-  Rack Middleware apart from Rails
-    1. In your config.ru, add the following *after* the middleware that handles
-       your sessions.
-       use LimitedSessions::Expiry, recent_activity: 2.hours, max_session: 24.hours
-    2. See #2 above, under Rack Middleware with Rails, for Configuration options.
-  ActionRecord Session Store
-    1. If you don't already have an 'updated_at' column on your sessions table,
-       create a migration and add it. If you plan to use the hard session limit
-       feature, you'll also need to add 'created_at'.
-    2. Tell Rails to use your the new session store. Change
-       config/initializers/session_store.rb to reflect the following:
-       <YourApp>::Application.config.session_store :active_record_store
-       ActionDispatch::Session::ActiveRecordStore.session_class = LimitedSessions::SelfCleaningSession
-    3. Configuration options.
-       Each of the following options should also be added to your initializer
-       file from step 2.
-       * Self-cleaning *
-       By default, SelfCleaningSession will clean the sessions table about every
-       1000 page views. Technically, it's a 1 in 1000 chance on each page. For
-       most sites this is good. Higher traffic sites may want to increase it to
-       10000 or more. 0 will disable self-cleaning.
-       LimitedSessions::SelfCleaningSession.self_clean_sessions = 1000
-       * Session activity timeout *
-       The default session activity timeout is 2 hours. This uses the
-       'updated_at' column which will be updated on every page load.
-       This can also be disabled by setting to nil. However, the 'updated_at'
-       column is still required for self-cleaning and will effectively function
-       as if this was set to 1.week. If you really want it longer, set it to
-       1.year or something.
-       LimitedSessions::SelfCleaningSession.recent_activity = 2.hours
-       * Maximum session length *
-       By default, the maximum session length handling is disabled. When
-       enabled, it uses the 'created_at' column to do its work.
-       A value of nil disables this feature and 'created_at' does not need to
-       exist in this case.
-       LimitedSessions::SelfCleaningSession.max_session = 12.hours
-Other questions:
-  Do I need both the middleware and the ActiveRecord Session Store?
-    No. While it should work, it is not necessary to use both the middleware
-    and the ActiveRecord Session Store. If you are storing sessions via AR,
-    then use the ActiveRecord Session Store. If you are storing sessions any
-    other way, then use the middleware.
-  I'm storing sessions in {Memcache, Redis, etc.} and they auto-expire
-  sessions. Do I need this?
-    Maybe, maybe not. Normally, that auto-expire period is equivalent to
-    LimitedSessions' :recent_activity. If that's all you want, then you don't
-    need this. However, if you'd also like to put a maximum cap on session
-    length, regardless of activity, then LimitedSessions' :max_session feature
-    will still be useful.
-  Can I use the middleware with ActiveRecord instead of the ActionRecord
-  Session Store enhancement?
-    Yes; session expiry (recent activity and max session length) should work
-    fine in this circumstance. The only thing you won't get is self-cleaning of
-    the AR sessions table.
-  How are session expiry times tracked?
-    The middleware adds one or two keys to the session data: :last_visit and/or
-    :first_visit.
-    The AR enhancement uses 'updated_at' and possibly 'created_at'.
-  How is this different from using the session cookie's own expires= value?
-    The cookie's own value puts the trust in the client to self-expire. If you
-    really want to control session lengths, then you need to manage the values
-    on the application side. LimitedSessions is fully compatible with the
-    cookie's expires= value, however, and the two can be used together.
-  What's the difference between :recent_activity and :max_session?
-    Recent activity requires regular access on your site. If it's set to 15
-    minutes, then a page must be loaded at least once every 15 minutes.
-    Max session is a cap on the session from the very beginning. If it's set to
-    12 hours, then even if a user is accessing the page constantly, and not
-    triggering the recent activity timeout, after 12 hours their session would
-    be reset anyway.
-  What are the security implications of using LimitedSessions?
-    LimitedSessions enhances security by reducing risk of session cookie replay
-    attacks. The specifics will depend on what cookie store you're using.
-    For Rails' default cookie store, :max_session handling is perhaps most
-    valuable as it guarantees an end to the session. Rails' default behavior
-    allows a session to last for an infinite time. If a cookie is somehow
-    exposed, the holder of the cookie has an open-ended session. Note that
-    signing and/or encryption do not mitigate this.
-    For any session store that uses a server-side database (AR, memcache, Redis,
-    etc.), at least the user can formally logout and terminate the session.
-    Auto-expiring sessions (memcache, Redis, AR w/SelfCleaningSession, etc.)
-    will also expire if allowed to, but can also be maintained perpetually by
-    ongoing access.
-    Since the cookie store doesn't expire ever, :recent_activity addresses this
-    by making sessions expire similarly to if memcache, Redis, or something
-    similar was being used.
-    It is recommended to use both halves of LimitedSessions for best security.
-  What are the performance implications of using LimitedSessions?
-    The middleware should have minimal impact.
-    The AR enhancement should result in an overall net gain in performance as
-    the size of the AR sessions table will be kept to a smaller size. The 1 in
-    1000 hit (or whatever you've configured it to) may be slightly slower while
-    the database cleanup is in progress.
-  Is the AR enhancement compatible with the legacy 'sessid' column?
-    No. Please rename that column to 'session_id'.
-Other Notes:
-  This version has been tested on Rack 1.5-2.0 and Rails 4.2-5.1. It should be
-  compatible with a broad spectrum of data and session stores. If you find a
-  bug, I'd love to hear about it -- preferably via a new issue on GitHub (bonus
-  points for a pull request). Likewise, give me a shout if you have a suggestion
-  or just want to tell me that it works. Thanks for checking limited_sessions
-  out!
-      --t (tm@iprog.com; https://iprog.com/)