What is the warden data in a Rails/Devise session composed of?

When you login a user(Devise model name User), a key "warden.user.model_name.key" is created which in your case is "warden.user.user.key".

For example:

{ warden.user.user.key => [[1], "$2a$10$KItas1NKsvunK0O5w9ioWu"] }

where

1 is the id of the logged in user.

$2a$10$KItas1NKsvunK0O5w9ioWu aka long-random-string is the partial encrypted password of user with id 1.

You can verify this by going on rails console and executing

User.find(1).encrypted_password  
## => "$2a$10$KItas1NKsvunK0O5w9ioWuWp4wbZ4iympYMqVCRmmvTGapktKqdMe"

UPDATE

could you tell me a bit more about this partial encrypted password? why is it partial and not full?

To answer your above question in the comment, Devise stores the partial encrypted_password in the session by invoking authenticatable_salt method. Devise stores the partial encrypted_password as it is more reliable rather than exposing the full encrypted_password in the session(even though its encrypted). That's why the first 30 characters[0,29] of the encrypted_password are extracted and stored in the session.

  # A reliable way to expose the salt regardless of the implementation.
  def authenticatable_salt
    encrypted_password[0,29] if encrypted_password
  end

You can see the code for authenticatable_salt here.

where/when is it used? is it used by Devise, or by Rails, or both?

It is used by Devise for authentication purpose to verify whether or not a particular user is logged in. Ideal use-case would be, how a particular Rails application keeps track of how a user is logged in when a new page is requested. As HTTP requests are stateless, it would be impossible to tell that a given request actually came from that particular user who is logged in? This is why sessions are important as they would allow the application to keep a track of the logged in user from one request to another until the session expires.