Session record not getting deleted

[Bharath Neo]

Hi,
I have been asking this question in multiple forums like stackexchange
but have not received a solution or proper help. Any help here is
appreciated.

I have a rails app with a session store database (mysql). When I want to
clear a session, I reset the session variables and call reset_session.
But then the record in mysql which was added on creating a session does
not get cleared automatically (which it should).

This is how my sessions controller looks like:


class SessionsController < ApplicationController
def create
session[:user_id] = params[:email]
session[:username] = params[:email]
end

def destroy
session[:user_id] = nil
session[:username] = nil
reset_session
end

When the create gets called, I see rails adding a record automatically
in the sessions table. But then it does not get cleaned up on
reset_session.

kybitz-vm_001:(controllers) [master]$ rails -v
Rails 3.2.13
kybitz-vm_001:(controllers) [master]$ ruby -v
ruby 1.8.7 (2011-06-30 patchlevel 352) [i686-linux]

Thanks.

--
Posted via http://www.ruby-forum.com/.

[Robert Walker]

Bharath Neo wrote in post #1154181:

> Hi,
> I have been asking this question in multiple forums like stackexchange
> but have not received a solution or proper help. Any help here is
> appreciated.
>
> I have a rails app with a session store database (mysql). When I want to
> clear a session, I reset the session variables and call reset_session.
> But then the record in mysql which was added on creating a session does
> not get cleared automatically (which it should).

Do you have reference to documentation stating that it should? To my
knowledge using ActiveRecord session storage has always required manual
purging.

This article might help:
http://blog.brightbox.co.uk/posts/clearing-out-rails-sessions

Besides using MySQL for session storage isn't currently recommended in
the first place:

http://guides.rubyonrails.org/4_0_release_notes.html
---------------
ActiveRecord session store (commit) - The ActiveRecord session store is
extracted to a separate gem. Storing sessions in SQL is costly. Instead,
use cookie sessions, memcache sessions, or a custom session store.

[Bharath Neo]

Thanks Robert for the reply. Nope, not from documentation. Its just
basic thing that if the record is created by rails, it needs to be
cleaned up by rails (why would it need to be cleaned up out of a
different path) ?

I remember reading this stackoverflow comment as well which mentioned
that it should clear on calling reset_session.

http://stackoverflow.com/questions/10088619/how-to-clear-rails-sessions-table%22

"When you call reset_session rails will delete that row from the session
table. However not every session will have reset_session called on it:
if a user closes their browser without logging out then the browser will
discard the session cookie, so that session row will never be used
again, but reset_session won't be called.

Rails won't clear out that accumulating cruft for you - it's up to you
to do any housekeeping on it as you see fit. In a previous job we use to
run a cronjob that deleted old session rows."

[Bharath Neo]

Okie, assuming its done manually, is there a way to at least figure out
which of the sessions are for logged out users ??

[Colin Law]

On 5 August 2014 23:05, Bharath Neo <li...@ruby-forum.com> wrote:
> Okie, assuming its done manually, is there a way to at least figure out
> which of the sessions are for logged out users ??

Delete it explicitly when a user logs out, then you know that any left
are those that have not logged out.

Colin

[Bharath Neo]

Colin Law wrote in post #1154372:

The problem is that I want to hold sessions who have not logged out. And
clear sessions who have not logged in. Sessions are created
automatically by rails when the login page loads itself.

[Colin Law]

Sorry, don't understand. Can you clarify what you mean by 'logged
out'? I assumed you meant users that have clicked on the 'logout'
link.

Colin

[Bharath Neo]

Colin Law wrote in post #1155762:

Okie. This is what I see from how its happening:

1. There is a login page
2. When login page is loaded I see an entry for a session put in.

+-----+----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------+---------------------+---------------------+
| id | session_id | data
| created_at | updated_at |
+-----+----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------+---------------------+---------------------+
| 172 | 683aeb1fec89147c16db6ffb8614d915 |
BAh7BiIQX2NzcmZfdG9rZW4iMUVNN1ZVSSt6cGdMaTdRT1RycjhuVTlkWHMr
M1RyYzZyZUpYaEh5eE93VDQ9

3. When someone logs in successfully, I set the user_id value in the
session variable. Right then I see that the sql record has the value in
"data" variable changed.

session[:user_id] = params[:email]

4. When someone logs out, I clear the value and call reset_session.
Again I see the sql record has the "data" variable with changed value.

session[:user_id] = nil
reset_session

Hence the problem is:
1. Can't I ensure a session record is created only when I want - After
the user logs in ?
2. If not, Can I differentiate a authenticated session vs
unauthenticated sessions (sessions where the login page was just loaded
OR sessions where the user logged out) ?

[Colin Law]

On 24 August 2014 17:32, Bharath Neo <li...@ruby-forum.com> wrote:
> Colin Law wrote in post #1155762:
>> On 23 August 2014 06:32, Bharath Neo <li...@ruby-forum.com> wrote:
>>> The problem is that I want to hold sessions who have not logged out. And
>>> clear sessions who have not logged in. Sessions are created
>>> automatically by rails when the login page loads itself.
>>
>> Sorry, don't understand. Can you clarify what you mean by 'logged
>> out'? I assumed you meant users that have clicked on the 'logout'
>> link.
>>
>> Colin
>
> Okie. This is what I see from how its happening:
>
> 1. There is a login page
> 2. When login page is loaded I see an entry for a session put in.

What do you mean by 'loading' the login page? The code you posted
shows the session being created in session create, which is presumably
as a result of posting the login form, not displaying. It is up to
you what code you put there.

>
> +-----+----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------+---------------------+---------------------+
> | id | session_id | data
> | created_at | updated_at |
> +-----+----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------+---------------------+---------------------+
> | 172 | 683aeb1fec89147c16db6ffb8614d915 |
> BAh7BiIQX2NzcmZfdG9rZW4iMUVNN1ZVSSt6cGdMaTdRT1RycjhuVTlkWHMr
> M1RyYzZyZUpYaEh5eE93VDQ9
>
> 3. When someone logs in successfully, I set the user_id value in the
> session variable. Right then I see that the sql record has the value in
> "data" variable changed.
>
> session[:user_id] = params[:email]
>
> 4. When someone logs out, I clear the value and call reset_session.
> Again I see the sql record has the "data" variable with changed value.
>
> session[:user_id] = nil
> reset_session
>
> Hence the problem is:
> 1. Can't I ensure a session record is created only when I want - After
> the user logs in ?

When a user logs in check whether they already have an active session
and if so restore that one and remove the new one (or even better
don't save it). If there is nothing stored in the session other than
the fact that they have logged in then you can just delete any old
ones for that user.

Colin

[Bharath Neo]

Colin Law wrote in post #1155842:

> On 24 August 2014 17:32, Bharath Neo <li...@ruby-forum.com> wrote:
>>> Colin
>>

>> Okie. This is what I see from how its happening:
>>
>> 1. There is a login page
>> 2. When login page is loaded I see an entry for a session put in.
>
> What do you mean by 'loading' the login page? The code you posted
> shows the session being created in session create, which is presumably
> as a result of posting the login form, not displaying. It is up to
> you what code you put there.

Actually nope. When I hit localhost:3000, the login page pops up. I
don't see any of the controller code being executed. But when I check
the sql sessions table, I see rails has put in an entry:

mysql> select * from sessions;
+----+----------------------------------+----------------------------------------------------------------------------------------+---------------------+---------------------+

| id | session_id | data
| created_at | updated_at |

+----+----------------------------------+----------------------------------------------------------------------------------------+---------------------+---------------------+
| 2 | b43e58bd6c2871beb354f40650deaade |
BAh7BiIQX2NzcmZfdG9rZW4iMUdLZU1zSlNmbGR4UDByVjRQNUlJem02UWFx
YzRGcFAwNHF5bW52NFJaZ2M9
| 2014-08-24 17:59:48 | 2014-08-24 17:59:48 |
+----+----------------------------------+----------------------------------------------------------------------------------------+---------------------+---------------------+
1 row in set (0.00 sec)

[Colin Law]

On 24 August 2014 19:03, Bharath Neo <li...@ruby-forum.com> wrote:
> Colin Law wrote in post #1155842:
>> On 24 August 2014 17:32, Bharath Neo <li...@ruby-forum.com> wrote:
>>>> Colin
>>>
>>> Okie. This is what I see from how its happening:
>>>
>>> 1. There is a login page
>>> 2. When login page is loaded I see an entry for a session put in.
>>
>> What do you mean by 'loading' the login page? The code you posted
>> shows the session being created in session create, which is presumably
>> as a result of posting the login form, not displaying. It is up to
>> you what code you put there.
>
> Actually nope. When I hit localhost:3000, the login page pops up. I
> don't see any of the controller code being executed. But when I check
> the sql sessions table, I see rails has put in an entry:

OK. It seems I am not the one who can help in that case. I think you
need someone who knows more about sessions stored in the db.

Sorry

Colin

[Frederick Cheung]

On Sunday, August 24, 2014 5:33:00 PM UTC+1, Ruby-Forum.com User wrote:

Colin Law wrote in post #1155762:

4. When someone logs out, I clear the value and call reset_session.
Again I see the sql record has the "data" variable with changed value.

    session[:user_id] = nil
    reset_session

Hence the problem is:
1. Can't I ensure a session record is created only when I want - After
the user logs in ?
2. If not, Can I differentiate a authenticated session vs
unauthenticated sessions (sessions where the login page was just loaded
OR sessions where the user logged out) ?

A row gets set in the sessions table (or whatever session store you use) whenever something is assigned to the session. In particular, pretty much any time you display a form (or call csrf_meta_tag) rails saves the value of the csrf token to the session. This is probably why you're seeing sessions created on displaying the login page.

You can't by default differentiate between authenticated sessions and non authenticated sessions: rails' session support is unaware of what authenticated means to you. You could probably do this with a custom session store - a session store implementation has access to the rack env hash, so your app code could set values in there that the session store could save. The active record store implementation that was extracted from rails (https://github.com/rails/activerecord-session_store) would probably be a good place to start

Fred