Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Rails - Cookies or Active Record Store for Sessions

I am building an authentication system for my project. What is the recommended approach to store session information (I am just storing the user's id nothing else):

  • Cookie Store
  • Active Record Store

Also, what are the security concerns for using nested forms and accepts_nested_attributes_for.

Please advise.

Thanks a lot in advance.

like image 953
Rails Newbie Avatar asked Aug 10 '11 16:08

Rails Newbie


People also ask

Where does Rails store session data?

The session is only available in the controller and the view and can use one of a number of different storage mechanisms: ActionDispatch::Session::CookieStore - Stores everything on the client. ActionDispatch::Session::CacheStore - Stores the data in the Rails cache.

How are sessions stored in Rails?

Rails uses ActionDispatch::Session::CookieStore as the default session storage. Learn more about other session storages in Action Controller Overview Guide. Rails CookieStore saves the session hash in a cookie on the client-side.

How do sessions and cookies work in Rails?

Cookies, Sessions and Flashes are three special objects that Rails gives you in which each behave a lot like hashes. They are used to persist data between requests, whether until just the next request, until the browser is closed, or until a specified expiration has been reached.

What do you store in session cookies?

This cookie stores information such as the user's input and tracks the movements of the user within the website. There is no other information stored in the session cookie. Session cookies are set on a device's temporary memory when a browser session starts.


1 Answers

There are definitely security concerns when using CookieStore. The main problem is that a CookieStore session can't be killed on the server side. If someone gains access to your cookies, he can easily login as you. Even if you logout and start a new session with a new cookie.

ActiveRecordStore at least gives you the ability to invalidate a session by removing it from the database.

This is a good blog post about it. http://www.bryanrite.com/ruby-on-rails-cookiestore-security-concerns-lifetime-pass/

like image 66
Brad Pauly Avatar answered Sep 19 '22 03:09

Brad Pauly