rails storing password in a session

Question

I have a rails app that makes web api call , the rails app by itself doesn't have any database or userstore. Every api call needs to be sent username and password for each request.

I would like to provide an authentication mechanism for the rails app. I am planning to do it this way :

1. Show a login page
2. Get the username and password
3. Store the username and password
4. Perform a manual authentication either via warden.authenticate or authlogic.something ( or may be even that is not required can just check if session has something stored )
5. And then when user does something I pass the username and password that was stored earlier.

Now my problem is where do I store the password ? If I use session I cannot use cookie store obviously , I can use session_store = :active_record_store but not sure if its safe , also I don't have any database as of now so why should I create one just for session ? Is there any other mechanism to store passwords within a session ? (safe way obviously )

Earlier rails had :

• MemoryStore
• FileStore

But now both seems to be removed. So any other solution ?

Notes from answers :

1. Storing encrypted passwords won't work since I need the raw password to be sent to server while making api calls.
2. I have no control over the API , so I cannot change its authentication.
3. There is no user profile maintenance on rails app. Everything managed by API calls.

I finally thought to implement custom memory store but it seems to throw stackoverflow error. I got the code from https://rails.lighthouseapp.com/projects/8994/tickets/1876-uninitialized-constant-actioncontrollersessionmemorystore

require 'action_dispatch'
module ActionDispatch
module Session
class CustomMemoryStore < ActionDispatch::Session::AbstractStore
  GLOBAL_HASH_TABLE = {} #:nodoc:

  private
    def get_session(env, sid)
      sid ||= generate_sid
      session = GLOBAL_HASH_TABLE[sid] || {}
      session = AbstractStore::SessionHash.new(self, env).merge(session)
      [sid, session]
    end

    def set_session(env, sid, session_data)
      GLOBAL_HASH_TABLE[sid] = session_data
      return true
    end
  end
 end
end
Steptools3::Application.config.session_store :custom_memory_store, :key => '_some_xyz'

Answer 1

You could try using Redis as a session store. We use rails3-redis-session-store gem. The source can be found here.

It is very easy to setup, and sessions expire automatically, which makes it safe. Example config:

YourApp::Application.config.session_store :redis_session_store,
                                          :db => 0,
                                          :expire_after => 10.minutes,
                                          :key_prefix => "your_app:session:"

An alternative would be to use dalli, and thus use memcached as the backend.

Hope this helps.