Interaction of Rememberable and Timeoutable

[Andrew Hodgkinson]

Last one for today, I promise!

The Rememberable module handles a cookie for me; should the user manage
to get logged out "somehow", the cookie will be used to log them back in.
I'm not clear on exactly how the user would log out, though, without
going through SessionsController#destroy; in that case, the cookie is
(rightly) cleared anyway.

So, I assumed that Rememberable was to be used in conjunction with
Timeoutable. If the user doesn't explicitly say "remember me" then their
session can timeout quickly. Otherwise, it only times out once both the
session timeout and remember token have expired. However it does not seem
to work that way. If I set a really short session timeout for testing -
say, 5 seconds - then checking the 'Remember me' box when logging in
makes no difference. I get logged out after 5 seconds of inactivity anyway.

Are these two modules meant to work together, or are they supposed to be
mutually exclusive (both tackling the issue of user session persistence
but from different angles) with only one used at any given time?

--
TTFN, Andrew Hodgkinson
Find some electronic music at: Photos, wallpaper, software and more:
http://pond.org.uk/music.html http://pond.org.uk/

[José Valim]

IMHO, it makes no sense to supply both modules at the same time. In your case, you can say that rememberable is not working, because timeout is ruling rememberable. But if we did otherwise, If we allow rememberable to work, one could complain that timeoutable is not working properly.

Timeoutable is a security measure, if you allow the person to by pass this security measure by checking the remember me box (which they certainly will), it's better to remove it altogether.

To unsubscribe from this group, send email to plataformatec-devise+unsubscribegooglegroups.com or reply to this email with the words "REMOVE ME" as the subject.

--
José Valim

Director of Engineering - Plataforma Tecnologia
Know more about us: http://plataformatec.com.br/en/

[Andrew Hodgkinson]

On 26/03/2010 14:33, Jos� Valim wrote:

> IMHO, it makes no sense to supply both modules at the same time [...]

Understood; thanks for the clarification.

In the case of Rememberable, what mechanisms might cause the user to be
logged out unless they checked the "Remember me" box - browser quitting,
or window/tab closed, or similar?

[José Valim]

Remember stores a cookie. So they user will always be able to sign in until he sign out (both explicitly by clicking the link or implicitly when his account expires or timeouts) or the cookie is deleted manually.

Closing a tab does not delete neither cookies, neither session cookies. Quitting the browser deletes session cookies, but not other cookies.

On Fri, Mar 26, 2010 at 3:36 PM, Andrew Hodgkinson <ahod...@gmail.com> wrote:

To unsubscribe from this group, send email to plataformatec-devise+unsubscribegooglegroups.com or reply to this email with the words "REMOVE ME" as the subject.

[Carlos A. da Silva]

Also notice Rememberable has its own "timeout" config, by setting
up :remember_for in your devise initializer, that defaults to 2.weeks.

On Mar 26, 11:39 am, José Valim <jose.va...@gmail.com> wrote:
> Remember stores a cookie. So they user will always be able to sign in until
> he sign out (both explicitly by clicking the link or implicitly when his
> account expires or timeouts) or the cookie is deleted manually.
>
> Closing a tab does not delete neither cookies, neither session cookies.
> Quitting the browser deletes session cookies, but not other cookies.
>

[Andrew Hodgkinson]

On 26/03/2010 14:57, Carlos A. da Silva wrote:

> Also notice Rememberable has its own "timeout" config, by setting
> up :remember_for in your devise initializer, that defaults to 2.weeks.

Yep, thanks.

My app was using both, but since they don't play well together I've just
added a configuration item which lets the installer / sys admin choose
between timeout or a remember token. The database already has the
relevant entries to support the remember token and it doesn't do any harm
if that isn't used.