Rails sessions current practices

Lukas picture Lukas · Apr 6, 2010 · Viewed 46.5k times · Source

Anyone have any "best practices" tips for Rails and sessions? The default session type for Rails 3 is still CookieStore, right? I used SqlSessionStore for a while and it worked well, but I may move away from that in favor of CookieStore.

Is it still not a good idea to use CookieStore for sensitive info, even with salted info or is that better stored in the DB?

Answer

Volcanic picture Volcanic · Aug 25, 2010

Use the database for sessions instead of the cookie-based default, which shouldn't be used to store highly confidential information

Create the session table with

rake db:sessions:create

Run the migration

rake db:migrate

Make sure you also tell rails to use ActiveRecord to manage your sessions too.

Rails 3

config/initializers/session_store.rb:

Rails.application.config.session_store :active_record_store

Rails 2

config/environment.rb:

config.action_controller.session_store = :active_record_store