« Learning Science can be a LOT of fun | Main | A New Constitution, Part 2 »

May 28, 2006

Comments

josh

Wow, that's interesting stuff. But I wonder if you're using too big a hammer. Maybe it would be simpler to have the remember-me cookie be named something like "[app]_user_login", and only use it on the login page to supply auth credentials for the one user. Once the user name and (encrypted) password are supplied to the app, you can use the regular user_id in the non-persistent session to verify that the user is logged in. I think it's good to decouple the login cookie from the session cookie, since sessions can get cleaned up on the server even if the cookie is persistent in the browser.

RayBaxter

Two points, possibly related:

I'm not sure what this means, "Indeed, there is no API for even adding output cookes to a CgiResponse." ApplicationController::Cookies does provide an API that allows you to add cookies to a CgiResponse. Maybe I'm not understanding your point.

On whether having Set-Cookie sent on every request a bug, I'd say it was an implementation choice.

It is also the implementation that I prefer as a user and usually as a developer. If your cookie can expire at some fixed time period in the future, then you have to keep updating that time period.
The way I read your code, the session _will_ expire 30 days from now, no matter how many times I visit your site over the next 30 days. This is the approach taken by some sites (gmail, Amazon) but it is annoying to me. If I log in today I would like to never have to log in again if I check your site weekly.

It is just a cookie after all. Sending it 20 times is not that heavy. After all, the user sends it back to you on every request.

Like Josh, I would prefer an approach that decouples the remember me authentication from session persistence. I'd keep persistent state in the db.

David Heinemeier Hansson

I too applaud your zeal for getting to the bottom of your original statement of the problem, but would certainly also recommend that you go the much, much easier route of just using a separate cookie to store a remembered-login.

That's how all the implementations I've done and seen has gone about it. And it's certainly a ton easier to do.

Graham Glass

Regarding my comment re: an API for cookies. There *is* an API for adding "regular" cookies to a CgiResponse, but not for what the documentation calls *output* cookies.

If there was indeed an API for adding these so-called output cookies, then the Cgi::Session code would presumably have used it. But instead it uses the hack that I mentioned in my text.

Graham Glass

Since all three comments so far have suggested I use a separate cookie for the "remember me" function, I will certainly reconsider that approach.

However, I don't see the essential difference between a session and what "remember me" does. Surely "remember me" simply modulates the length of a session, in which case it seems like you shouldn't need two separate cookies.

As far as the 30-day limitation goes, Ray is right that my code as-is would forget the session length after 30 days. I'm not sure whether I'll keep this behavior (which as he points out some popular sites use), or should adjust it to make it a sliding window. An even simpler approach is to simply set the expiry date to 10 years in the future!

Travis Hoang

TY so much for the persistant cookie thing, it saved me loads of time for my own rails project

Chintan

hi Graham,

it's really a good one but i have 1 prob that where i have to put this code that i didn't get. so pls elp me for this as soon as possible n once agian thnx for such a nice stuff.

Abhinav Maheshwari

Graham,

Here is one article using a different cookie.

www.onrails.org/articles/2006/02/18/auto-login

Abhinav Maheshwari

Graham,

Thanks for the interesting info regarding internals. However, I tend to agree with Josh in that the sessions could expire on the server, and we anyways wouldn't want the sessions to be very long-lived.

Here is the complete solution using an auth_token in the database and it is also stored in the database for comparing when the user comes back later.

www.onrails.org/articles/2006/02/18/auto-login

somaking

FYI, http://www.shanesherman.com/2006/03/08/how-to-persist-rails-sessions-via-cookies-using-the-login-engine-plugin/

Stephen McKinney

Here's an article explaining Really Simple Remember Me's. 12 lines of code that you can add on to nearly any existing rails login.

http://www.thewojogroup.com/2008/09/remember-mes-with-rails/

Brett

http://www.thewojogroup.com/2008/09/remember-mes-with-rails/

For using rails cookies to do a remember me function.

The comments to this entry are closed.

Destiny

  • Destiny is my science fiction movie about the future of humanity. It's an epic, similar in breadth and scope to 2001: A Space Odyssey.

    To see the 18 minute video, click on the graphic below.

    Destiny17small

People