Geek Answers Handbook

Where is the session stored in Rails?

In Rails, I have executed the code below for the auth user (verified as correct). However, I wanted to confirm my opinion about this strange session[:session_token] . Is this a cookie stored in a browser?

 class ApplicationController < ActionController::Base protect_from_forgery with: :exception helper_method :current_user, :signed_in? private def current_user @current_user ||= User.find_by_session_token(session[:session_token]) end def signed_in? !!current_user end def sign_in(user) @current_user = user session[:session_token] = user.reset_token! end def sign_out current_user.try(:reset_token!) session[:session_token] = nil end def require_signed_in! redirect_to new_session_url unless signed_in? end end

Until now, I understand how this works, when the browser / client sends a request for rails, a cookie (with session[:session_token] ) is also sent, which allows the current_user method to find the user. Do I understand correctly? This is strange for me because there is a knowledge gap about how exactly the browser / client accesses the session cookie when we declare it in the ApplicationController (Rails-side).

+6
source share
1 answer

You are pretty much there. Although, I have a feeling that you can mix apples with oranges ...

Sessions:

Very often, in dynamic websites, I would like to store user data between HTTP requests (because http has no status and you cannot link the request to another request otherwise), but you do not want this data to be readable and / or editable on the client side inside the url (e.g. yourwebsite.com/yourPage?cookie=12345&id=678) etc ... because you don’t want the client to play around with this data without going through your server code.

One way to solve this problem is to save this server-side server information, give it a "session_token" (as you called it), and let the client know (and send each HTTP request) this token. This is how the session is performed.

Cookies

The most common method for implementing sessions in Rails involves the use of cookies, which are small pieces of text placed in a user's browser. Since cookies are stored from one page to another, they can store information (for example, session_token or something else that you want) that the application can use to retrieve a registered user from the database.

Where is the session stored in Rails?

Using both of the above concepts, I can now tell you that the default session store is inside the Rails CookieStore , which is about 4 KB in size.

Simply put...

 def sign_in(user) @current_user = user session[:session_token] = user.reset_token! end

... that you defined puts the user in a temporary session.

Then the idea is that the following ...

 def current_user @current_user ||= User.find_by_session_token(session[:session_token]) end

... the method will find and retrieve the user from the database corresponding to the session token, and initialize it with the variable you specify.

Additional Information:

It should also be noted that there is an important difference between Rails session methods and helper cookies ...

They generate cookies, however, the session[...] method creates temporary cookies that expire after the browser exits, and the cookies[...] method creates a persistent cookie that you don’t do.

In addition, I would suggest looking at section 2 of the Ruby on Rails Security Guide . You may find this helpful.

Hope this helps you.

+8
source

More articles:


All Articles