Geek Answers Handbook

Anonymous users in Rails - security concerns?

I am looking at implementing some form of anonymous user system in Rails. I need people to do something (creating records, looking at what they created, etc.), without actually creating an account. Once they create an account, everything remains without the risk of losing it by clearing cookies or something like that.

Right now, I think it's pretty simple. Have the is_anonymous field in the User model and use something like this to access the currently logged in user:

def find_user session[:user_id] ||= create_new_anonymous_user.id end

Assuming that the session is maintained for a reasonable period of time and the session cookie does not expire, this should ensure smooth operation.

However, there is this part of me that is convinced that I am missing something related to security. Has anyone done something like this before? Am I missing something super-obvious?

Thanks!

+7
security ruby ruby-on-rails
source share
4 answers

The only real security issue will be that these anonymous users can perform critical operations.

Your system means that anyone with a specific cookie will gain access to the site. Not necessarily a big deal, but it really depends on the type of information your users provide.

In the past, I did something similar (in my case, I tracked the progress of the work through the site, and when the user logged in or registered, I linked the โ€œguestโ€ data to their account. When you make this switch, make sure that you delete an anonymous record to prevent further access, and everything should be fine.

+4
source share

I just found a pretty cool example of โ€œtrial usersโ€ using Authlogic: http://github.com/gisikw/authlogic_trial

+2
source share

Assuming the session is saved for some reasonable period of time and the session cookie does not expire, which should keep everything operational smoothly.

You may need to set a separate long-lived cookie for a new user, so they can have multiple sessions (at least from this browser).

0
source share

Are you sure you want people to create objects that are tied to accounts that may not exist? Unfortunately, I donโ€™t know much about what your application actually does, but I think that a descent along this path may lead to you being left with orphans who do not really โ€œbelongโ€ to any real users.

If you really want to do this, I think you have a decent one. You could create a real user marked as โ€œguestโ€ (or something else), and as soon as the user wants to really register, they will be asked to get other information and unflagged. You must add access control for non-guests, etc.

0
source share

More articles:


All Articles