Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

rails storing password in a session

Tags:

ruby-on-rails

session

I have a rails app that makes web api call , the rails app by itself doesn't have any database or userstore. Every api call needs to be sent username and password for each request.

I would like to provide an authentication mechanism for the rails app. I am planning to do it this way :

  1. Show a login page
  2. Get the username and password
  3. Store the username and password
  4. Perform a manual authentication either via warden.authenticate or authlogic.something ( or may be even that is not required can just check if session has something stored )
  5. And then when user does something I pass the username and password that was stored earlier.

Now my problem is where do I store the password ? If I use session I cannot use cookie store obviously , I can use session_store = :active_record_store but not sure if its safe , also I don't have any database as of now so why should I create one just for session ? Is there any other mechanism to store passwords within a session ? (safe way obviously )

Earlier rails had :

  • MemoryStore
  • FileStore

But now both seems to be removed. So any other solution ?

Notes from answers :

  1. Storing encrypted passwords won't work since I need the raw password to be sent to server while making api calls.
  2. I have no control over the API , so I cannot change its authentication.
  3. There is no user profile maintenance on rails app. Everything managed by API calls.

I finally thought to implement custom memory store but it seems to throw stackoverflow error. I got the code from https://rails.lighthouseapp.com/projects/8994/tickets/1876-uninitialized-constant-actioncontrollersessionmemorystore

require 'action_dispatch'
module ActionDispatch
module Session
class CustomMemoryStore < ActionDispatch::Session::AbstractStore
  GLOBAL_HASH_TABLE = {} #:nodoc:

  private
    def get_session(env, sid)
      sid ||= generate_sid
      session = GLOBAL_HASH_TABLE[sid] || {}
      session = AbstractStore::SessionHash.new(self, env).merge(session)
      [sid, session]
    end

    def set_session(env, sid, session_data)
      GLOBAL_HASH_TABLE[sid] = session_data
      return true
    end
  end
 end
end
Steptools3::Application.config.session_store :custom_memory_store, :key => '_some_xyz'
like image 731
Gaurav Shah Avatar asked Nov 17 '11 09:11

Gaurav Shah

People also ask

Can we store password in session?

Yes. You can choose to store your derived key in the session knowing it might be compromised if the server is compromised, but at least the users's password is still safe. That way your security failure doesn't become a much bigger problem for users who use the same password elsewhere.

Are Rails sessions encrypted?

Rails uses encryption to securely prevent tampering with the session contents, however, users cannot revoke sessions because the contents are stored on the browser.

How sessions work in Rails?

Rails will create a new record in your sessions table with a random session ID (say, 09497d46978bf6f32265fefb5cc52264 ). It'll store {current_user_id: 1} (Base64-encoded) in the data attribute of that record. And it'll return the generated session ID, 09497d46978bf6f32265fefb5cc52264 , to the browser using Set-Cookie .

1 Answers

You could try using Redis as a session store. We use rails3-redis-session-store gem. The source can be found here.

It is very easy to setup, and sessions expire automatically, which makes it safe. Example config:

YourApp::Application.config.session_store :redis_session_store,
                                          :db => 0,
                                          :expire_after => 10.minutes,
                                          :key_prefix => "your_app:session:"

An alternative would be to use dalli, and thus use memcached as the backend.

Hope this helps.

like image 170
nathanvda Avatar answered Oct 11 '22 08:10

nathanvda
Sign in to Comment

Related questions

Cropping using Paperclip, ImageMagick, Jcrop and S3 storage: Why won't 'image.reprocess!' reprocess?
How to destroy session ("logout") with token-authenticated users
Generating Braintree Receipts
Rails 3 Cli executes commands really slow?
Rails : Using jquery tokeninput (railscast #258) to create new entries
Rails I18n nested translation keys
API Versioning within web applications
Multiple Checkboxes, Convert to String, Single DB Column Rails
retrieve filename and content-type from base64 encoded image ruby on rails
How to push Procfile to Heroku?
Can Devise + Omniauth have several types of login?
Rails 3 ActiveRecord API: .build method
rails 3.1 asset pipeline: ignore assets from a gem
Ruby on Rails: How to print out a string and where does it display at?
Rails sprocket Error compiling CSS assest - CHOWN issue
How to detect disconnect event on a channel with Faye
Trouble with Carrierwave :convert
Rails route not working using resource :model
Rails using send_file to send multiple files
How do I quit from debugger without exiting my IRB session?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!