Menu
The "data" in a Rails session looks like this:
{"warden.user.user.key" => [[1], "long-random-string"]} 1 is the user id. What is the long random string?
Is this something handled/used by Rails, or Devise?
577
Warden is a ruby gem that does the actual authentication through an array of strategies; when the first strategy fails to authenticate the user, it uses the next and so forth. Devise adds several strategies to Warden, according to your User Model configuration (if it is rememberable, database_authenticatable, etc.)
Devise is the cornerstone gem for Ruby on Rails authentication. With Devise, creating a User that can log in and out of your application is so simple because Devise takes care of all the controllers necessary for user creation ( users_controller ) and for user sessions ( users_sessions_controller ).
When you login a user(Devise model name User), a key "warden.user.model_name.key" is created which in your case is "warden.user.user.key".
For example:
{ warden.user.user.key => [[1], "$2a$10$KItas1NKsvunK0O5w9ioWu"] } where
1 is the id of the logged in user.
$2a$10$KItas1NKsvunK0O5w9ioWu aka long-random-string is the partial encrypted password of user with id 1.
You can verify this by going on rails console and executing
User.find(1).encrypted_password ## => "$2a$10$KItas1NKsvunK0O5w9ioWuWp4wbZ4iympYMqVCRmmvTGapktKqdMe" UPDATE
could you tell me a bit more about this partial encrypted password? why is it partial and not full?
To answer your above question in the comment, Devise stores the partial encrypted_password in the session by invoking authenticatable_salt method. Devise stores the partial encrypted_password as it is more reliable rather than exposing the full encrypted_password in the session(even though its encrypted). That's why the first 30 characters[0,29] of the encrypted_password are extracted and stored in the session.
# A reliable way to expose the salt regardless of the implementation. def authenticatable_salt encrypted_password[0,29] if encrypted_password end You can see the code for authenticatable_salt here.
where/when is it used? is it used by Devise, or by Rails, or both?
It is used by Devise for authentication purpose to verify whether or not a particular user is logged in. Ideal use-case would be, how a particular Rails application keeps track of how a user is logged in when a new page is requested. As HTTP requests are stateless, it would be impossible to tell that a given request actually came from that particular user who is logged in? This is why sessions are important as they would allow the application to keep a track of the logged in user from one request to another until the session expires.
170
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
