tags:

views:

359

answers:

4
+3  Q: 

Anonymous users in Rails -- security considerations?

I'm looking at implementing some form of anonymous user system in Rails. I need to let people do things (creating records, looking at what they've created, etc), without actually creating an account. Once they create an account, everything persists without risk of losing it by clearing cookies or something.

Right now, I'm thinking it's pretty straightforward. Have an is_anonymous field in the User model, and use something like this to access the currently logged in user:

def find_user
  session[:user_id] ||= create_new_anonymous_user.id
end

Assuming the session persists for some reasonable period of time, and the session cookie doesn't expire, that should keep everything running smoothly.

However, there is this piece of me that is convinced that I'm missing something security-related. Has anyone done something like this before? Am I missing something super-obvious?

Thanks!

A: 

Assuming the session persists for some reasonable period of time, and the session cookie doesn't expire, that should keep everything running smoothly.

Perhaps you should set a separate long lived cookie for the new user, so they can have multiple sessions (at least from that browser).

frankodwyer  2009-01-07 18:32:12
+3  A: 

The only real security issue is going to be if these anonymous users can perform critical operations.

Your system means that anyone with the specific cookie will gain access to the site. Not necessarily a big deal, but it really depends on the type of information your users are providing.

I have done something similar in the past (in my case I was tracking progress through a site and when the user logged in or registered, I attached the "guest" data to their account. When you do the switch, make sure you delete the anonymous record to prevent further access and it should be fine.

Toby Hede  2009-01-10 04:33:26
A: 

Are you sure that you want to let people create objects that are tied to accounts that may not exist? Unfortunately I don't know much about what your application is actually doing but I would think that going down this path might leave you with a bunch of orphaned objects not really "owned" by any real users.

If you really do want to do this I think what you have is decent. You could be creating a real user, flagged as "guest" (or whatever) and once the user wants to really register they are prompted for other information and unflagged. You should add access control for guest vs non-guest, etc.

sammich  2009-01-10 20:58:50
Well, the intent is to delete all the anonymous accounts and their related records n days after the last access, where n is the number of days before the session cookie expires. I want to have as little barrier to usage as possible.
Tim Sullivan  2009-01-11 04:41:30
+1  A: 

I just found a pretty cool example of "trial users" using Authlogic: http://github.com/gisikw/authlogic_trial

chap  2009-10-13 15:53:30

related questions

Best place to get Ruby on Vista up and running as dev environment
How can I encode xml files to xfdl (base64-gzip)?
What is the best way to learn Ruby?
Learning Ruby on Rails any good for Grails?
How to sell Python to a client/boss/person with lots of cash
How do I create a Class using the Singleton Design Pattern in Ruby?
How do I update Ruby Gems from behind a Proxy (ISA-NTLM)
Why Should I Learn Ruby?
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
How do I rake tasks within a ruby script?
Ruby On Rails with Windows Vista - Best Setup?
Mapping values from two array in Ruby
Reverse DNS in Ruby?
Text Editor For Linux (Besides Vi)?
What is good forum software to add to an existing Rails application?
Calling Bash Commands From Ruby
How can I modify .xfdl files? (Update #1)
How do I use (n)curses in Ruby?
Open Source Ruby Projects
How do I fix 'Unprocessed view path found' error with ExceptionNotifier plugin in rails 2.1?
When to use lambda, when to use Proc.new?
Frequent SystemExit in Ruby when making HTTP calls
Implementation of "Remember me" in a Rails application.
.NET Migrations Engine
How do I add existing comments to RDoc in Ruby?