Rails sessions current practices

ruby-on-rails ruby session cookies
Lukas picture Lukas · Apr 6, 2010 · Viewed 46.5k times · Source

Anyone have any "best practices" tips for Rails and sessions? The default session type for Rails 3 is still CookieStore, right? I used SqlSessionStore for a while and it worked well, but I may move away from that in favor of CookieStore.

Is it still not a good idea to use CookieStore for sensitive info, even with salted info or is that better stored in the DB?

Answer

Volcanic picture Volcanic · Aug 25, 2010

Use the database for sessions instead of the cookie-based default, which shouldn't be used to store highly confidential information

Create the session table with

rake db:sessions:create

Run the migration

rake db:migrate

Make sure you also tell rails to use ActiveRecord to manage your sessions too.

Rails 3

config/initializers/session_store.rb:

Rails.application.config.session_store :active_record_store

Rails 2

config/environment.rb:

config.action_controller.session_store = :active_record_store

Related questions

Rails: Access to current_user from within a model in Ruby on Rails

I need to implement fine-grained access control in a Ruby on Rails app. The permissions for individual users are saved in a database table and I thought that it would be best to let the respective resource (i.e. the …

Read More
How to set rails session cookie expiration time to "session"

I'm not very experienced with the parts of Rails that are not on the surface. All I want is to have a session cookie that has the expiration set to session so it expires when the user leaves their browser …

Read More
How to get a random number in Ruby

How do I generate a random number between 0 and n?

Read More