Menu
I am building an authentication system for my project. What is the recommended approach to store session information (I am just storing the user's id nothing else):
Also, what are the security concerns for using nested forms and accepts_nested_attributes_for.
Please advise.
Thanks a lot in advance.
953
The session is only available in the controller and the view and can use one of a number of different storage mechanisms: ActionDispatch::Session::CookieStore - Stores everything on the client. ActionDispatch::Session::CacheStore - Stores the data in the Rails cache.
Rails uses ActionDispatch::Session::CookieStore as the default session storage. Learn more about other session storages in Action Controller Overview Guide. Rails CookieStore saves the session hash in a cookie on the client-side.
Cookies, Sessions and Flashes are three special objects that Rails gives you in which each behave a lot like hashes. They are used to persist data between requests, whether until just the next request, until the browser is closed, or until a specified expiration has been reached.
This cookie stores information such as the user's input and tracks the movements of the user within the website. There is no other information stored in the session cookie. Session cookies are set on a device's temporary memory when a browser session starts.
There are definitely security concerns when using CookieStore. The main problem is that a CookieStore session can't be killed on the server side. If someone gains access to your cookies, he can easily login as you. Even if you logout and start a new session with a new cookie.
ActiveRecordStore at least gives you the ability to invalidate a session by removing it from the database.
This is a good blog post about it. http://www.bryanrite.com/ruby-on-rails-cookiestore-security-concerns-lifetime-pass/
66
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
