How does rails/devise handle cookie sessions?

Question

I'd like to understand what's really going on when signing in a user with rails/devise.

I've created a minimal rails app, installed devise and created a User devise model. Everything works fine, and when I log in (using remember me) I get a session cookie just as expected.

Now what's bugging me is : How does rails handle the session informations that the browser is passing through the cookie ?

I'd naively expect some information to be stored in the database, but I don't see where. There's no such thing as session table, no session column in Users, and I couldn't find anything of interest in the tmp dir.

Note that restarting the server wouldn't kill my session. It is of course expected, but now I'm really wondering what kind of magic is happening here ?

in other words : how does the server check the validity of a cookie to authenticate a user ?

Thanks !

Answer 1

The default rails session storage is CookieStore. This means that all the session data is stored in a cookie rather than in the database anywhere. In Rails 3.2 the cookie is signed to prevent tampering, but not encrypted. In Rails 4 it's generally encrypted by default. The fact that it's in a cookie is how it persists across restarts of your server. It also means you can only store 4k of data and you wouldn't want to store anything sensitive in there in Rails < 4. It's best to keep a minimum of data in the session anyway.

You can also opt for storing the session data in the database and only having a session id in a cookie.

This answer I gave the other week has some extra info that might be useful:

Sessions made sense to me before I started reading about them online

Also, the rails api doc for CookieStore gives a nice summary:

http://api.rubyonrails.org/classes/ActionDispatch/Session/CookieStore.html