Geek Answers Handbook

In Rails, how do you destroy a session when you close your browser?

I walk through the Michael Hartle Railstutorial and I am stuck on Exercise 9.6.2. I searched the web and used this code in my session helper:

module SessionsHelper def sign_in(user) session[:user_id] = user.id self.current_user = user end def current_user=(user) @current_user = user end def current_user @current_user ||= User.find(session[:user_id]) if session[:user_id] end def signed_in? !current_user.nil? end def sign_out session[:user_id] = nil self.current_user = nil end end

I found it online: http://www.nimweb.it/web-development/ruby-on-rails-web-development/ruby-on-rails-tutorial-exercise-9-6-2-rails-session/

However, the user does not log out when the browser is closed. Anyone have a solution?

+4
source share
5 answers

EDIT : Looking at the link you gave, they write:

We can also start the server (using "$ rails s") and test the functioning of our new session without cookies (we must be logged out every time we close the browser).

(in italics)

Therefore, their solution is to simply disable cookies, which leads to the creation of a new session at each visit. In fact, they are not talking about deleting old sessions on the server side of the equation.

My original answer is left below for historical significance:

(apologies if this is too general, I assume you do not see the big picture)

In fact, the Internet uses a model based on pull clients — clients make requests to do something on the server.

You cannot “force” the client to close the session, since closing the session is an action that the client must request from the server (for example: by logging out).

Therefore, usually sessions have a timeout period that is regularly checked. Each session has a "start time" stored in the database, and sessions that are too old are cleared.

However, in javascript there might be some way to detect a browser close event and attempt to close the session with maximum efficiency. But there is no guarantee - the user can always forcefully kill the browser process, leaving the server completely in the dark.

In short, you cannot rely on a client to close a session. A timeout is probably the best option.

+4
source

I got stuck in one exercise after going through a tutorial. If you used Firefox and decided to save the tabs and then exit, the browser will obviously save all your session data when you restart the browser. This means that the user information stored in the session cookie will also be restored, and therefore, the user will be registered after closing the browser. I do not think other browsers (like chrome) have the same behavior. Therefore, a quick test is to use a different browser and see if your code will work. Hope this helps.

+2
source

First of all, you need to clear the session store that you are using to avoid confusion. I believe that the exercise uses the default storage (cookie) , but, of course, you could change this to the active storage of records (or any other storage that stores data on the server).

Check the config/initializers/session_store.rb file to see how session storage is used. Assuming you haven’t changed anything in the store, it should be set to :cookie_store , in which case you don’t have to worry about anything, since client-side cookies are used to store session data, and these cookies expire by default after closing browser (these are so-called "session" cookies, just to be clear, the session here refers to the cookie present until your browsing session is saved - closing the browser deletes the session cookie). Of course, this does not cause any server-side code such as sign_out or session.destroy when exiting the browser, but since the cookie contains all the session data and is deleted by the browser, you can no longer get it, so you can consider the session is destroyed. ..

Now, when stored on the server side, it becomes more complex, as mentioned in the previous answer, “You cannot“ force the client to close the session ” . What most people do is manually destroy expired sessions, for example. http://guides.rubyonrails.org/security.html#session-expiry . Rake task example https://gist.github.com/kares/919069

+1
source

I am reading this excellent tutorial right now and got the same task about 30 minutes ago. Jeremy Roman answered exactly this question. Although he did not give a phased answer, what he mentioned allowed me to find out the answer.

Now, to be more specific ... Given that Jeremy mentioned that sessions expired automatically after closing the browser, unless the “Expires” attribute is specified for the corresponding cookie, the solution is related to the following code fragment:

app/helpers/session_helper.rb:

 def sign_in(user) cookies.permanent.signed[:remember_token] = [user.id, user.salt] self.current_user = user end

According to the tutorial itself , the permanent method above sets the cookie attribute 'Expires' to 20.years.from_now . Thus, this means that your session will persist for 20 years if you do not exit explicitly or delete your cookie.

So, to end a session when the browser is closed, you just need to create your cookie without any expiration date, which boils down to a simple pass to permanent :

app/helpers/session_helper.rb:

 def sign_in(user) cookies.signed[:remember_token] = [user.id, user.salt] self.current_user = user end

Although there may be other valid solutions that are not yet obvious to me (after all, I just started to learn Rails), this one looks very simple - you don’t even need to write anything - just delete permanent and you go there! :)

0
source

I know this answer comes a little later than four years, but I came across the same question and was asked several times in different forms on SO. The only correct answer I found was here .

The problem is not the development of the problem. Of course, he expected this exercise to be completed with cookies turned on. Rather, the problem is in the browser settings: "continue when you stopped" or "open my windows and tabs from the last time" when the browser starts. This option allows you to save sessions in the browser closely, which is exactly the behavior that we do not want.

This issue is now referred to as a footnote in the textbook (chapter 8, note 2). The author says that in relation to this browser setting and related endless sessions,

... Of course, Rails does not control this behavior.

0
source

More articles:


All Articles