« Session hijacking | Main | Don’t trust primary key parameters »
Tuesday
Apr102007

Ruby on Rails sessions - introduction and expiry

DateTuesday, April 10, 2007 at 10:18PM

As the HTTP protocol is stateless, a logged in client, for example, would have to provide his login name and password for every request he makes, because the server cannot maintain the state during subsequent user's requests. The idea of adding a state to requests is to save information about the exchanged data on the server (the session data), identified by a session identifier.

Rails saves the session data and identifier on the server, and advises the client side to store the same session identifier in a cookie. The cookie looks like the following:
 
# name = value
_session_id=16d5b78abb28e3d6206b60f22a03c8e8

 

The session identifier is a 32 bytes long MD5 hash value of the current time, a random number between 0 and 1, the process id number of the Ruby interpreter (also basically a (less) random number) and a constant string (foobar). This keeps the risk of colliding (i.e. occurring twice) session identifiers very low.

Session expiry

In many web applications your session stays only valid either until you log out, or after a certain time after the creation of the session. It is not a good idea to use sessions that never expire, that allows an attacker unlimited time to brute-force a session identifier.Also the number of valid session identifiers rises over time and so rises the possibility of correct guessing of session identifiers.You could limit the time how long a session stays valid by setting the expiry time stamp of the _session_id cookie. However, as cookies in the web browser can be edited by the user, this is not the safest thing to do. It is safer to control the validity of a cookie on the server side.
 
Every user who accesses the web application creates a new session on the server which can eventually lead to a major performance drop or fll up your disk space and make your server incapable of acting. Not only to save disk space and for performance reasons, but also to let expire old sessions, you should remove old session data from time to time. Sessions are saved to files in Rails' /tmp/sessions, by default. When deciding which session files you can remove, the simplest way is to delete those files which were not changed within the last hour. However in a situation where sessions do not become invalid when the user logs out, or the user always forgets to log out, and an attacker got hold of the session cookie,he could write an automated script to access the web application every 10 minutes, for example. In such a case, the session would never expire.
 
You should use an automated script (via the cron command on Unix, for example) to clear expired sessions which were not accessed for some time AND the ones which were created a long time ago. Depending on the user behavior and on how much you want to protect the application, you should clear them every 5 minutes through to no more than 20 minutes.
 
If you use a database to store the sessions, of course the same rules apply.
 
To be continued...

AuthorHeiko | Comment56 Comments | Reference3 References |

PrintView Printer Friendly Version

EmailEmail Article to Friend

References (3)

References allow you to track sources for this article, as well as articles that were written in response to this article.
  • Response
    Response: Eiaaean
    by Amanda at Amanda on May 13, 2011
    Flowerbomb, Perfume, Womens Perfume. http://home-fragrances.catatto.com/Home-Fragrances/Makeup/ - Home Fragrances http://home-fragrances.catatto.com/Home-Fragrances/Perfume/ - Fragrance Oil http://home-fragrances.catatto.com/Home-Fragrances/Makeup/ - Womens Perfume
  • Response
    Response: Juli
    by Sedoysar at Sedoysar on May 27, 2011
    Giant Mountainbikes In South Africa, Giant Mountain Bike Sales, Mountain Giant Muisek. http://mohaym.info/Mountain-Bike/Giant-Mountain-Bike-660/ - Lifeventure Giant Trek Towel http://mohaym.info/Mountain-Bike/Giant-Mountain-Bukes/ - Star Trek Giant http://mohaym.info/Giant-Trek/Giant-X1000-Trekking/ - Giant Fcr3 Vs Trek
  • Response
    Response: Desperanto
    by Shepik at Shepik on July 12, 2011
    Mens Shoes Size 10, La Idol Jeans Capri, Mens Sunglasses. http://jeanssc.info/Jeans/La-Idol-Jeans-26/ - Big Star Jeans http://jeanssc.info/Jeans/Diesel-Jeans-31/ - Mens Shoes Size 10 http://jeanssc.info/Jeans/Mens-Jeans-36x32/ - La Idol Jeans 13 http://jeanssc.info/Jeans/Mens-Jeans-33x34/ - Mens Jeans 34x32 Lot

Reader Comments (56)

Thanks. This is great information.

April 12, 2007 | Unregistered Commenteranon

Phentermine....

June 15, 2007 | Unregistered CommenterPhentermine.

Xanax....

July 31, 2007 | Unregistered CommenterXanax online.

Phentermine hydrochloride. Discount phentermine....

July 31, 2007 | Unregistered CommenterPhentermine info.

Ambien sleeping pill. Ambien. Ambien side effects. Ambien hallucinations dizziness. Ambien cr....

July 31, 2007 | Unregistered CommenterAmbien forum.

Does ambien interrupt the menstrual cycle. Ambien us pharmacy. Ambien sleeping pill. Which is better ambien cr or lunestra. Ambien....

August 1, 2007 | Unregistered CommenterAmbien online.

Ambien sleeping pill....

August 3, 2007 | Unregistered CommenterAmbien side affects.

Phentermine pregnancy....

August 4, 2007 | Unregistered CommenterCheap 37 5 phentermine.

Online pharmacy buy cialis. Buy cialis. Cheapest cialis. Cialis....

August 5, 2007 | Unregistered CommenterCialis best price buy online.

Cialis vs viagra. Cialis best price buy online. Cialis with viagra. Cialis drug contraindications. Cialis....

August 6, 2007 | Unregistered CommenterCialis uk suppliers.

Ambien us pharmacy. Ambien ld-50. Ambien. Buy ambien online cod....

August 7, 2007 | Unregistered CommenterAmbien cr addiction.

Tramadol....

August 7, 2007 | Unregistered CommenterTramadol.

Ambien. Ambien next day delivery. Ambien overnight. Addiction to ambien. Ambien forum. Ambien no prescription....

August 7, 2007 | Unregistered CommenterAmbien dangers.

How long does 1mg of xanax stay in your system....

August 8, 2007 | Unregistered CommenterXanax.

Cheap phentermine. Discount phentermine. Phentermine. Order phentermine uk. Phentermine overnight. Phentermine cheap. Adipexdrug addiction order phentermine online. Phentermine review....

August 10, 2007 | Unregistered CommenterPhentermine.

How to cut down on xanax....

August 11, 2007 | Unregistered CommenterXanax prescription.

Ambien. Ambien cr addiction....

August 11, 2007 | Unregistered CommenterAmbien during pregnancy.

Ambien and the menstrual cycle. Ambien purchase omline. Ambien side effects. Ambien cr. Ambien next day delivery where....

August 12, 2007 | Unregistered CommenterOnline meds no prescription am

Phentermine. Danger of phentermine. Online phentermine....

August 12, 2007 | Unregistered CommenterHow does phentermine work.

Ambien. Where can i buy ambien for next day delivery. Ambien side effects. Will ambien show up in a urine test. Addiction to ambien. Ambien vs lunestra. Ambien cr....

August 12, 2007 | Unregistered CommenterAmbien sleeping pill.
Page 1 2 3 Next 20 Comments Most Recent Comment »

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>
Alert
Comment Moderation Enabled
Your comment will not appear until it has been cleared by a website editor.

Notify me of follow-up comments via email.