Session timed out. Time Out! What’s a session?

A quick summary of rails sessions and when and when not to use them.

We’ve all seen this message, usually when we are on a site filling out forms that deal with sensitive and/or personal information. It’s easy to discern that this is a security measure meant to keep our information safe, why else create this inconvenience?

What is a Session?

A session is a data object that stores key/value pairs for a web session, usually of a particular user. When we login to a site, we are usually starting a session that allows the application to deliver a faster and more enjoyable UX. Rails makes sessions particularly easy for us.

Accessing a session in Rails:

If we look at our Rails application, we are already given access to our sessions anytime the program runs. If you want to see where this is being done, simply navigate to config/initializers/session_store.rb. If we go here we will see the following line of code:

Rails.application.config.session_store :cookie_store, key: '_displaying-associations-rails-lab_session'

Here, Rails is initializing a session store, which, as a structure, is indistinguishable from a cookie. When writing our application, we can set variables that permeate throughout the entire user’s session by accessing the session object. Rails, as we know, will make this extremely easy for us.

 session[:user_id] = user.id 

Here, we instantiate a key in our session object called user_id and assign it a value of the user’s id. It may seem like more typing than just accessing user.id but now when we want to call on the user’s id, we no longer have to access the database, saving our application some sweet, sweet processing time.

Sessions and cookies are small(~4kb), and are not a replacement for databases, but they do act as a sort of small, temporary database. We generally only want to use them when we are storing temporary information that is specific to a user’s session.

You can imagine logging in to a site or starting to fill out an application without finishing it. Before we make a call on the database, we might want to store information in a session that we can call at the end to create database objects. It might go something like this:

def login
session[:user_id] = user.id
end

We know that when we log in to a site, like Shmacebook, we are accessing pages and data specific to our account, and as long as we are logged in, we will be the only user for that session, so, unless we log out, this will be the case. But, what if we do log out? Once again Rails makes this so shmeasy.

def logout
reset_session
end

It’s as easy as that. Resetting the session will clear that data in the session object, one of the many things that Rails makes easy on us. Without setting a way to reset the session, the only way to remove the values stored is to close out the browser. But wait a minute, what about the session timed out thingy?

Remember that line of code we found in the session_store file? It comes with some nice methods for optimizing our methods, specifically :expire_after. Let’s try this:

Rails.application.config.session_store :cookie_store, key: '_displaying-associations-rails-lab_session', :expire_after 5.minutes

We’ve now set an expiration timer on our session that will not keep this information stored and vulnerable on our computer, so when we are filling out a 3 page purchasing order or doing our taxes on ShmurboTax and all of our personal information is being stored in our session hash, it will expire after a reasonable time (decided by our lord programmers).

Sessions are incredibly useful tools for creating a fast and friendly web-interface and, while they are not required, they are very much encouraged.

Cookies act very similar to sessions but permeate more. Cookies can be used to help with auto-logins as well as optimizing search results. Rails also makes cookies easy to access when building an application.

cookies[:beards] = []
cookies[:beards] << Cliff, Ian, Dillon, Colby, Me, Charlie
cookies.delete(:beards[1])
cookies[:beards][2] = { value: “Hairy” expires: Time.now + 1.month }

Here we are setting the cookies hash key beards to the value of an empty array, then populating an empty array with some bearded fellows I know, I don’t know any bearded women sadly. We can delete any value in the array or set a value to expire (delete itself) after a certain amount of time. This can allow for better security without sacrificing the convenience

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.