Rails: Is that safe to store data in "session"?

Question

I thought to store the type of the currently logged in user in session[:user_type]. The options are: "admin", "end_user", "demo" (may add more user types in the future).

I wonder if it is safe to do that in Rails 3 application.

Can user change somehow the session[:user_type] from "demo" to "admin" ?

Answer 1

It depends of your session store.
By default use cookies as a session store so by default it's not safe it's pretty easy to change the content of a cookie.

So you could either :

• change your session store in config/initializers/session_store.rb and use an activerecord store (so it will be store in the db) or a memcache store. There's also plenty of plugins on github letting you use redis, mongodb, ... as sessions stores
• store this information in your db and have a before_filter in your application_controller accessing the cookie to get the current user id and getting the whole user object in a variable @current_user

Answer 2

Look in this thread: Rails sessions current practices