Session Management

When a new session is created, Rails automatically sends a cookie to the browser containing the session id

The data structure takes the form of a hash, identified by a unique session id, a 32-character string of random hex number

---

Disabling Sessions for Robots
class ApplicationController < ActionController::Base<br />session :off, :if => lambda {|req| req.user_agent =~/(Google|Slurp)/i}<br />

Selectively Enabling Sessions
class ApplicationController < ActionController::Base<br />session :off<br /><br />#You can’t say session :on in a subclass of ApplicationController—it won’t work, but surprisingly, you can say session :disable => false.<br /><br />class AdminController < ApplicationController<br />session :disable => false<br />
# the session will only work over HTTPS<br />session :session_secure => true
The Controversial CookieStore
class CGI::Session::CookieStore<br />def generate_digest(data)<br /># replace this line with your own encryption logic<br />Digest::SHA512.hexdigest “#{data}#{@secret}”<br />end<br />end<br /><br />#Another problem with cookie-based session storage is its vulnerability to replay<br />attacks<br />The short answer is: Do not store sensitive data in the session. Ever. The longer<br />answer is that coordination of nonces across multiple servers would require remote<br />process interaction on a per-request basis, which negates the benefits of using the<br />cookie session storage to begin with.<br />

Timing Out and Session Life Cycle
Session Timeout Plugin for Rails
class ApplicationController < ActionController::Base<br />session_times_out_in 20.minutes,<br />:after_timeout => proc {|controller| logger.info “Session expired”<br />}<br />end
>> CGI::Session::ActiveRecordStore::Session.find:first<br />=> #<CGI::Session::ActiveRecordStore::Session:0x26fe65c<br /><br />@attributes={“updated_at”=>”2006-11-29 02:06:01”,<br />“session_id”=>”73bb9cd7fd19a5c1cae8cd0fda0cb6bb”, “id”=>”1”,<br />“data”=>”BAh7BiIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo\nSG<br />FzaHsABjoKQHVzZWR7AA==\n”}>

Cookies
#If you are really intent on being able to access cookies in your helpers or views,there is a simple solution. Simply declare cookies to be a helper method:<br /><br />class MyController < ActionController::Base<br />helper_method :cookies
cookies[:login] = {:value => @user.security_token,<br />:domain => ‘.domain.com’,<br />:expires => Time.now.next_year }