Expired sessions remain in the database

[iamdriz]

When a session expires through inactivity or the user closes their browser, the sessions remain in the database. How can I make sure that expired sessions are always deleted without having to run a background job to keep cleaning it out.

[iamdriz]

I've added this to the Session model:

def self.sweep(time = 15.minutes)
    if time.is_a?(String)
      time = time.split.inject { |count, unit| count.to_i.send(unit) }
    end
    delete_all "updated_at < '#{time.ago.to_s(:db)}'"
end

And then in the controller method for listing sessions, I first call it:

def index
  Session.sweep
  @sessions = Session.order('created_at desc')
end

Which looks to work... except that due to another issue I have found: #98 it means sessions can be deleted early because the updated_at hasn't changed.

[mvz]

@iamdriz see the db:sessions:trim task and #89.

[rafaelfranca]

The supported wait to remove expired session is to use the db:sessions:trim tasks

[eliotsykes]

For developers working in environments where running rake tasks on a schedule is not possible/desirable, you can borrow the code from the db:sessions:trim task.

You should check what the latest code is but currently it is:

cutoff_period = (ENV['SESSION_DAYS_TRIM_THRESHOLD'] || 30).to_i.days.ago
ActiveRecord::SessionStore::Session.
  where("updated_at < ?", cutoff_period).
  delete_all

activerecord-session_store/lib/tasks/database.rake

Lines 17 to 20 in e97fa9f

	cutoff_period = (ENV['SESSION_DAYS_TRIM_THRESHOLD'] || 30).to_i.days.ago
	ActiveRecord::SessionStore::Session.
	where("updated_at < ?", cutoff_period).
	delete_all