Login/Register
Anonymous users in Rails -- security considerations?
Asked Answered
Solved ruby-on-railsrubysecurityanonymous-users
T

4

7

I'm looking at implementing some form of anonymous user system in Rails. I need to let people do things (creating records, looking at what they've created, etc), without actually creating an account. Once they create an account, everything persists without risk of losing it by clearing cookies or something.

Right now, I'm thinking it's pretty straightforward. Have an is_anonymous field in the User model, and use something like this to access the currently logged in user:

def find_user
  session[:user_id] ||= create_new_anonymous_user.id
end

Assuming the session persists for some reasonable period of time, and the session cookie doesn't expire, that should keep everything running smoothly.

However, there is this piece of me that is convinced that I'm missing something security-related. Has anyone done something like this before? Am I missing something super-obvious?

Thanks!

Trochilus answered 7/1, 2009 at 18:29 Comment(0)
T
4

The only real security issue is going to be if these anonymous users can perform critical operations.

Your system means that anyone with the specific cookie will gain access to the site. Not necessarily a big deal, but it really depends on the type of information your users are providing.

I have done something similar in the past (in my case I was tracking progress through a site and when the user logged in or registered, I attached the "guest" data to their account. When you do the switch, make sure you delete the anonymous record to prevent further access and it should be fine.

Titer answered 10/1, 2009 at 4:33 Comment(0)
C
2

I just found a pretty cool example of "trial users" using Authlogic: http://github.com/gisikw/authlogic_trial

Codfish answered 13/10, 2009 at 15:53 Comment(1)
link seems dead.. do you know if this has been moved?Putupon
Q
0

Assuming the session persists for some reasonable period of time, and the session cookie doesn't expire, that should keep everything running smoothly.

Perhaps you should set a separate long lived cookie for the new user, so they can have multiple sessions (at least from that browser).

Quadripartite answered 7/1, 2009 at 18:32 Comment(0)
B
0

Are you sure that you want to let people create objects that are tied to accounts that may not exist? Unfortunately I don't know much about what your application is actually doing but I would think that going down this path might leave you with a bunch of orphaned objects not really "owned" by any real users.

If you really do want to do this I think what you have is decent. You could be creating a real user, flagged as "guest" (or whatever) and once the user wants to really register they are prompted for other information and unflagged. You should add access control for guest vs non-guest, etc.

Borden answered 10/1, 2009 at 20:58 Comment(1)
Well, the intent is to delete all the anonymous accounts and their related records n days after the last access, where n is the number of days before the session cookie expires. I want to have as little barrier to usage as possible.Trochilus

© 2022 - 2024 — McMap. All rights reserved.