Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Rails sessions current practices

Tags:

ruby

ruby-on-rails

cookies

session

People also ask

How do Sessions work in Rails?

Sessions are kept serverside. It's saved on the webserver itself. This can be in a file/memory/database. The ID of that session is saved in a cookie on the user his browser to associate the user with the correct session.

Where does Rails store session data?

By default rails uses cookies to store the session data. All data is stored in the client, not on the server.

What are sessions and cookies in Rails?

Cookies, Sessions and Flashes are three special objects that Rails gives you in which each behave a lot like hashes. They are used to persist data between requests, whether until just the next request, until the browser is closed, or until a specified expiration has been reached.

How do I delete a session in Rails?

To clear the whole thing use the reset_session method in a controller. Resets the session by clearing out all the objects stored within and initializing a new session object.

Use the database for sessions instead of the cookie-based default, which shouldn't be used to store highly confidential information

Create the session table with

rake db:sessions:create

Run the migration

rake db:migrate

Make sure you also tell rails to use ActiveRecord to manage your sessions too.

Rails 3

config/initializers/session_store.rb:

Rails.application.config.session_store :active_record_store

Rails 2

config/environment.rb:

config.action_controller.session_store = :active_record_store

Cookies are encrypted by default in Rails 4

In Rails 4, CookieStore cookies are encrypted and signed by default:

If you only have secret_token set, your cookies will be signed, but not encrypted. This means a user cannot alter their user_id without knowing your app's secret key, but can easily read their user_id. This was the default for Rails 3 apps.

If you have secret_key_base set, your cookies will be encrypted. This goes a step further than signed cookies in that encrypted cookies cannot be altered or read by users. This is the default starting in Rails 4.

If you have both secret_token and secret_key_base set, your cookies will be encrypted, and signed cookies generated by Rails 3 will be transparently read and encrypted to provide a smooth upgrade path.

Active Record Session Store is Deprecated in Rails 4

This answer is now out-of-date with regard to Rails 4. The Active Record Session Store has been deprecated and removed from Rails, so the following generators will no longer work:

  • rake db:sessions:create

  • rails generate session_migration

This was pointed out in this answer. The reason that the Active Record Session Store was deprecated is because the reads/writes to the database don't scale well when you have a large number of users accessing your application, as stated in this blog post:

...one major issue with the Active Record session store is that it is not scalable. It puts an unnecessary load on your database. Once your application receives a large amount of traffic, the sessions database table is continuously bombarded with read/write operations.

As of Rails 4, the Active Record session store has be removed from the core framework and is now deprecated.

If you still want to use the Active Record Session Store, it's still available as a gem.

Current Rails Session Best Practices

For more current best practices for Ruby on Rails sessions, I advise that you check out the lastest versions of the Ruby on Rails Security Guide.


I don't believe anything has changed in how anyone on any platform should handle cookie based sessions. Be skeptical of anything that passes beyond the server's control (cookies, form posts, etc.) Thats a general principle of web development.

As far the encryption, I don't know if anything has changed on that front.

Something to be mindful of with a cookie store is the limit to the amount of data, and the gotcha that this data will be sent on the wire in every request, where as a database store only transfers the id and the data lives on the server.


FWIW, rails 3.1 suggests running 

rails generate session_migration

However this generates the exact same migration as 

rake db:sessions:create

The Rails defaults seem pretty good to me- The CookieStore is fast and should cover the majority of use cases. Sure you're limited to 4kb and your data will be visible to the user, but the Rails way is to only use session for things like integer IDs and basic string values- If you're trying to store objects or highly confidential information in session you're probably doing it wrong.

Related questions

Rails -- use type column without STI?
Creating a many to many relationship in Rails
Rails not editable text field
What's the difference between request.remote_ip and request.ip in Rails?
In Ruby on Rails, to extend the String class, where should the code be put in?
Rails - Undefined method `stringify_keys'
How to test ActionMailer deliver_later with rspec
Welcome/home page in Ruby on Rails - best practice
How to skip ActiveRecord callbacks? [duplicate]
Best Solution For Authentication in Ruby on Rails [closed]
Adding Hash parameter in the URL Rails Routes
Best Practices for reusing code between controllers in Ruby on Rails
How do I 'validate' on destroy in rails
Why can you not have a foreign key in a polymorphic association?
Turn off layout for one of action
LEFT OUTER JOIN in Rails 4
Parse a string as if it were a querystring in Ruby on Rails
Why won't bundler install JSON gem?
How does load differ from require in Ruby?
How to write if-condition in Haml?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!