module Authlogic module Session # Think about financial websites, if you are inactive for a certain period # of time you will be asked to log back in on your next request. You can do # this with Authlogic easily, there are 2 parts to this: # # 1. Define the timeout threshold: # # acts_as_authentic do |c| # c.logged_in_timeout = 10.minutes # default is 10.minutes # end # # 2. Enable logging out on timeouts # # class UserSession < Authlogic::Session::Base # logout_on_timeout true # default if false # end # # This will require a user to log back in if they are inactive for more than # 10 minutes. In order for this feature to be used you must have a # last_request_at datetime column in your table for whatever model you are # authenticating with. module Timeout def self.included(klass) klass.class_eval do extend Config include InstanceMethods before_persisting :reset_stale_state after_persisting :enforce_timeout attr_accessor :stale_record end end # Configuration for the timeout feature. module Config # With acts_as_authentic you get a :logged_in_timeout configuration # option. If this is set, after this amount of time has passed the user # will be marked as logged out. Obviously, since web based apps are on a # per request basis, we have to define a time limit threshold that # determines when we consider a user to be "logged out". Meaning, if # they login and then leave the website, when do mark them as logged # out? I recommend just using this as a fun feature on your website or # reports, giving you a ballpark number of users logged in and active. # This is not meant to be a dead accurate representation of a user's # logged in state, since there is really no real way to do this with web # based apps. Think about a user that logs in and doesn't log out. There # is no action that tells you that the user isn't technically still # logged in and active. # # That being said, you can use that feature to require a new login if # their session times out. Similar to how financial sites work. Just set # this option to true and if your record returns true for stale? then # they will be required to log back in. # # Lastly, UserSession.find will still return an object if the session is # stale, but you will not get a record. This allows you to determine if # the user needs to log back in because their session went stale, or # because they just aren't logged in. Just call # current_user_session.stale? as your flag. # # * Default: false # * Accepts: Boolean def logout_on_timeout(value = nil) rw_config(:logout_on_timeout, value, false) end alias_method :logout_on_timeout=, :logout_on_timeout end # Instance methods for the timeout feature. module InstanceMethods # Tells you if the record is stale or not. Meaning the record has timed # out. This will only return true if you set logout_on_timeout to true # in your configuration. Basically how a bank website works. If you # aren't active over a certain period of time your session becomes stale # and requires you to log back in. def stale? if remember_me? remember_me_expired? else !stale_record.nil? || (logout_on_timeout? && record && record.logged_out?) end end private def reset_stale_state self.stale_record = nil end def enforce_timeout if stale? self.stale_record = record self.record = nil end end def logout_on_timeout? self.class.logout_on_timeout == true end end end end end