My Rails-app has a sign in box with a ‘remember me’ checkbox. Users who check that box should remain logged in even after closing their browser. I’m keeping track of whether users are logged in by storing their id in the user’s session.
But sessions are implemented in Rails as session cookies, which are not persistent. I can make them persistent:
class ApplicationController < ActionController::Base before_filter :update_session_expiration_date private def update_session_expiration_date options = ActionController::Base.session_options unless options[:session_expires] options[:session_expires] = 1.year.from_now end end end But that seems like a hack, which is surprising for such common functionality. Is there any better way?
Edit
Gareth’s answer is pretty good, but I would still like an answer from someone familiar with Rails 2 (because of it’s unique CookieSessionStore).
I have spent a while thinking about this and came to some conclusions. Rails session cookies are tamper-proof by default, so you really don’t have to worry about a cookie being modified on the client end.
Here is what I’ve done:
When the user checks the ‘Remember Me’ box, I just set the session[:expireson] date to be login + 2 weeks. No one can steal the cookie and stay logged in forever or masquerade as another user because the rails session cookie is tamper-proof.