Rails: is it safe to store data in a "session"?

Question

Rails: is it safe to store data in a "session"?

I thought to save the current user type in session[:user_type] . Possible options: "admin", "end_user", "demo" (new types of users may be added in the future).

I wonder if it's safe to do this in a Rails 3 application.

Can the user somehow change session[:user_type] from "demo" to "admin"?

+6

security ruby-on-rails ruby-on-rails-3 session

Misha moroshko Mar 29 '11 at 10:34

source share

2 answers

Take a look in this thread: Rails performs current actions.

+3

Thokra Mar 29 '11 at 10:42

source share

Mike · Accepted Answer · 2011-03-29T10:44:07+0000

It depends on your session repository.
By default, use cookies as a session store, so by default it is unsafe, so it’s pretty easy to change the contents of a cookie.

So you can:

change the session store in config / initializers / session_store.rb and use the activerecord store (so it will be stored in db) or memcache store. There are also many plugins on github that allow you to use redis, mongodb, ... as storage sessions
save this information in your db and you have the before_filter file in your application_controller application to access the cookie, to get the current user id and get the whole user object in the @current_user variable

Rails: is it safe to store data in a "session"?

More articles: