views:

359

answers:

4

I'm looking at implementing some form of anonymous user system in Rails. I need to let people do things (creating records, looking at what they've created, etc), without actually creating an account. Once they create an account, everything persists without risk of losing it by clearing cookies or something.

Right now, I'm thinking it's pretty straightforward. Have an is_anonymous field in the User model, and use something like this to access the currently logged in user:

def find_user
  session[:user_id] ||= create_new_anonymous_user.id
end

Assuming the session persists for some reasonable period of time, and the session cookie doesn't expire, that should keep everything running smoothly.

However, there is this piece of me that is convinced that I'm missing something security-related. Has anyone done something like this before? Am I missing something super-obvious?

Thanks!

A: 

Assuming the session persists for some reasonable period of time, and the session cookie doesn't expire, that should keep everything running smoothly.

Perhaps you should set a separate long lived cookie for the new user, so they can have multiple sessions (at least from that browser).

frankodwyer
+3  A: 

The only real security issue is going to be if these anonymous users can perform critical operations.

Your system means that anyone with the specific cookie will gain access to the site. Not necessarily a big deal, but it really depends on the type of information your users are providing.

I have done something similar in the past (in my case I was tracking progress through a site and when the user logged in or registered, I attached the "guest" data to their account. When you do the switch, make sure you delete the anonymous record to prevent further access and it should be fine.

Toby Hede
A: 

Are you sure that you want to let people create objects that are tied to accounts that may not exist? Unfortunately I don't know much about what your application is actually doing but I would think that going down this path might leave you with a bunch of orphaned objects not really "owned" by any real users.

If you really do want to do this I think what you have is decent. You could be creating a real user, flagged as "guest" (or whatever) and once the user wants to really register they are prompted for other information and unflagged. You should add access control for guest vs non-guest, etc.

sammich
Well, the intent is to delete all the anonymous accounts and their related records n days after the last access, where n is the number of days before the session cookie expires. I want to have as little barrier to usage as possible.
Tim Sullivan
+1  A: 

I just found a pretty cool example of "trial users" using Authlogic: http://github.com/gisikw/authlogic_trial

chap