Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How does rails/devise handle cookie sessions?

I'd like to understand what's really going on when signing in a user with rails/devise.

I've created a minimal rails app, installed devise and created a User devise model. Everything works fine, and when I log in (using remember me) I get a session cookie just as expected.

Now what's bugging me is : How does rails handle the session informations that the browser is passing through the cookie ?

I'd naively expect some information to be stored in the database, but I don't see where. There's no such thing as session table, no session column in Users, and I couldn't find anything of interest in the tmp dir.

Note that restarting the server wouldn't kill my session. It is of course expected, but now I'm really wondering what kind of magic is happening here ?

in other words : how does the server check the validity of a cookie to authenticate a user ?

Thanks !

like image 631
aherve Avatar asked Feb 14 '14 15:02

aherve


People also ask

How do sessions and cookies work in Rails?

Rails then set the session ID to cookie and send that cookie to the client. Each time a request hits Rails app, Rails retrieves the session ID from the cookie, gets the serialized session associated with that session ID from Redis, and deserializes that into a hash. That hash is what the method session returns.

How are sessions stored in cookies?

A session stores the variables and their values within a file in a temporary directory on the server. Cookies are stored on the user's computer as a text file. The session ends when the user logout from the application or closes his web browser. Cookies end on the lifetime set by the user.

What does devise store in session?

to Devise. Devise uses the session storage that Rails is configured to. So it depends on which session storage you will use in your app, not on Devise. If you want to store the session data in the database, then yes, you need to tell Rails about that and run the Rails generator that creates the database table for you.

Where does Rails store session data?

By default rails uses cookies to store the session data. All data is stored in the client, not on the server.


1 Answers

The default rails session storage is CookieStore. This means that all the session data is stored in a cookie rather than in the database anywhere. In Rails 3.2 the cookie is signed to prevent tampering, but not encrypted. In Rails 4 it's generally encrypted by default. The fact that it's in a cookie is how it persists across restarts of your server. It also means you can only store 4k of data and you wouldn't want to store anything sensitive in there in Rails < 4. It's best to keep a minimum of data in the session anyway.

You can also opt for storing the session data in the database and only having a session id in a cookie.

This answer I gave the other week has some extra info that might be useful:

Sessions made sense to me before I started reading about them online

Also, the rails api doc for CookieStore gives a nice summary:

http://api.rubyonrails.org/classes/ActionDispatch/Session/CookieStore.html

like image 88
Tim Avatar answered Sep 23 '22 12:09

Tim