Session Problem in Sinatra - ruby

My sinatra application uses Rack::Session::Pool and it works fine.
I created a logout route using session.clear and it works fine as well.
But (there is always one) if the user closes the browser without clicking in the logout button the user keeps logged when he reopens the browser.
I checked the cookies in firefox and the session cookie (rack.session) still there! I went to my site, went to another site, verified the cookies and it was there, closed the browser and opened it again and the rack.session still there :( My client even rebooted his machine and he still logged in the site.
If I set the expire_date in the Rack::Session::Pool it works but then the cookie became persistent. I want the user's session to expire when he closes the browser regardless of expiration date (the worse case scenario is an user in a public computer or in a lan house).
I'm already working on this for 2 days, I looked in the rack source and I tried setting the others variables in the Rack::Session::Abstract but with no success until now.
For now I set the session to expire in 5 minutes to minimize the problem but this is not a good solution since the user still exposed for 5 minutes since his last request (if the users don't hit the logout button).
This is my cookie configuration:
app = MyApp.new
sessioned = Rack::Session::Pool.new(app,
:domain => DOMAIN,
:expire_after => 5 * 60)
run sessioned
Maybe I missing something here. Does anyone know what could be the problem? or had the same problem? Or any link?
Cheers,
Jonas

Remove the :expire_after and it stops the session persisting when the browser is closed.

Related

How To prevent copied session cookies being used

This has been asked before, but I haven't seen anything posted about it in years, and I'm running into the problem now.
Steps to reproduce:
Log into my site (C# 6, angularjs, .Net Framework 4.8)
Once logged in, use Cookie Editor to export the session cookies in the browser (using Chrome in this instance, but that doesn't matter.)
Log out
Using Cookie editor, import the copied session cookies.
Refresh the page... voila - I'm logged back in.
So, my code for logging out does all the "get rid of stored cookies" things it should: loop through all the cookies and expire them; clear the Request.Cookies; Abandon the Session; Clear the Session; RemoveAll on the session.
But when you paste that dang .ASPXAUTH cookie back into the browser... whammo. Logged in.
I'm not sure how to prevent this, and could really use the help.

Why is the user logged out after visiting a specific page? (Drupal 7)

My problem occurs after a user of my website has logged in and tries to edit the account info. As soon as they visit the /user/{user-id}/edit page it is like the login-session is killed. They can navigate around the rest of the site just fine.
Any ideas of what could cause this or how to find out how I can keep the session alive? Maybe there is a way to force the user to stay logged in?
Confirm that your cookie is set for both http and https sessions. Sometimes, if you appeared to be logged out, it may be because the user went from a secure https connection to an http connection.

Sentry Cookie not attaching

I am working on Laravel 4 application and using Sentry for authentication. I need to add Keep Me Logged In functionality into my application. I have googled around and found that passing second variable to Sentry::login($user, $remember) sets up a cookie. I have done that and can verify that it is working from the browser (Chrome). But somehow whenever I try Sentry::check() after a day it returns null for cookies. Even when the cookie is present in the browser. Can anyone point out what am I doing wrong? Same happens when I attach my custom cookie to the response.
This scenario happens on my production server. Whereas it works fine on my local server.
PS: Lifetime of the cookie is set to forever (5 Years)
After working around for sometime on the issue I was finally able to resolve the issue by creating and attaching custom cookie to the response after login. And then wrote a middleware to check for that cookie. If present then login user and continue.

What happens to Rails session after :expire_after time is up?

Does the session become nil? Does the change take effect only on the next request?
I think I just asked three questions now...
You can try to explore by using the similar settings:
AppName::Application.config.session_store :cookie_store, key: '_session_key', expire_after: 20.seconds
Then open up dev tools in your browser and go to cookies and select localhost cookies to see what happens.
I found out that:
Session cookie gets deleted after the expiration time
Expiration time for a cookie gets updated automatically (re-set) upon any request (even background ajax request counts)
The effect by default will take place upon the next request (refreshing the page for example) and if you use typical authentication (has_secure_password_ for example) user should be logged out
I found the last comment on the ActionController::Base documentation page really helpful on this topic

Firefox session cookies

Generally speaking, when given a cookie that has no expiration period, modern browsers will consider this cookie to be a 'session cookie', they will remove the cookie at the end of the browsing session (generally when the browser instance closes).
IE, Opera, Safari and Chrome all support this behavior.
However firefox (3.0.9 latest proper release) appears not to follow this rule, from what I can tell it doesn't expire the cookies when the browser is closed, or when the user logs off or restarts the OS..
So, why does firefox refer to these as session cookies, when they last aparently indefinitely?
Does anyone know how Firefox handles session cookie expiration?
This is apparently by design. Check out this Bugzilla bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=443354
Firefox has a feature where you close Firefox and it offers to save all your tabs, and then you restore the browser and those tabs come back. That's called session restore. What I didn't realize is that it'll also restore all the session cookies for those pages too! It treats it like you had never closed the browser.
This makes sense in the sense that if your browser crashed you get right back to where you were, but is a little disconcerting for web devs used to session cookies getting cleared. I've got some old session cookies from months ago that were set by sites I always have open in tabs.
To test this out, close all the tabs in your browser, then close the browser and restart it. I think the session cookies for your site should clear in that case. Otherwise you'd have to turn off session restore.
Two ideas :
You have a problem with your session manager (the one included in FF3 or one included in an extension, like tabmixplus)
Use Firebug + FireCookie (https://addons.mozilla.org/en-US/firefox/addon/6683) to debug !
This should work. I used to be one of the cookie module testers, and I don't think there is any design reason this would behave differently (although if you crash, the session cookies might be designed to live on when you restart...)
Are you viewing the cookies in the "Preferences" menu > "Privacy" Tab > "Show Cookies..." button?
Also, have you tried a new profile?
I disagree with meandmycode above.
The HTTP spec https://www.ietf.org/rfc/rfc6265.txt talks about what a client should do with Set-Cookie headers with Expires:
If the server wishes the user agent to persist the cookie over multiple "sessions" (e.g., user agent restarts), the server can specify an expiration date in the Expires attribute. Note that the user agent might delete the cookie before the expiration date if the user agent's cookie store exceeds its quota or if the user manually deletes the server's cookie.
The logical extension of this is that the ONLY way the server has to require that the browser does not maintain a Cookie on exit is to set no Expires value (i.e a session cookie). If a browser does not honor that semantic then its not honoring the server's response.
Essentially the user agent is deciding to ignore the server request and act as if an Expires value had been set.
This is a bit of a concern in shared user environments. If I set a authentication cookie that is set to expire at the end of the session. This will persist in Firefox after the browser has been closed and another user starts up Firefox. Cookies are set with an expiry date for a reason!
I'm flummoxed that Mozilla have left this as it is for several years.
OK.. so I quit FF and switch off the PC.
Next day FF starts and opens the last set of pages (nice handy feature) BUT it restores the sessions and I'm logged back in to sites which have no "save my settings" feature.
I know because they are sites I built.
Whatever I do with php ini settings the sessions are restored.
They absolutely should not be restored.
Pages yes, but sessions with cookie ini set to '0' no.
I don't understand why this is not flagged as a security hole.
Sure I can do some additional checking on the server side, to see if a login should be allowed, based on time from last log in, but it shouldn't be needed.
A session should NOT persist.
FF is manipulating cookie expiry settings.
In my case, it was because of pinned tabs that automatically restored the session even if this option was disabled in Firefox settings. So if you unpin the tabs, the session won't be restored.
Well it is disconcerting to me. My system is set up so that users can hit EXIT whereby I destroy all session cookies. But if a user closes the browser without actually choosing to Exit, I'd like the session cookies cleared.
I actually tested it with Google Chrome, IE 9, and works fine. But Firefox is reluctant to kill this "session" (as reported by Firebug) cookies.
OK. This is what I did. I chose Exit from FireFox main menu and from then on, did it fine as expected (Dont know why).

Resources