Reputation: 8268
What does 'skip session storage' in Devise gem mean?
I am reading Devise gem's initializer file (config/initializers/deviser.rb) and having a hard time comprehending this part.
# By default Devise will store the user in session. You can skip storage for
# :http_auth and :token_auth by adding those symbols to the array below.
# Notice that if you are skipping storage for all authentication paths, you
# may want to disable generating routes to Devise's sessions controller by
# passing :skip => :sessions to `devise_for` in your config/routes.rb
config.skip_session_storage = [:http_auth]
The reason I'm looking at this is because I'm trying to use api based token authentication, in which case I need to change that config line to:
config.skip_session_storage = [:http_auth, :token_auth]
Can anyone explain what the comments are saying?
Upvotes: 14
Views: 8740
Answers (2)
Reputation: 164
# Notice that if you are skipping storage for all authentication paths, you
# may want to disable generating routes to Devise's sessions controller by
# passing :skip => :sessions to `devise_for` in your config/routes.rb
This part tells you that if you disable the use of sessions for all authentication methods like in the following line:
config.skip_session_storage = [:http_auth, :token_auth]
then you don't need the routes to the sessions automatically generated by devise_for by defaults.
So you should add the following in your config/routes.rb:
devise_for :users, :skip => :sessions
Hope it helps a bit.
Upvotes: 2
Reputation:
Quite simply, it tells Devise not to store the user in the session. Here's another explanation for it:
skip_session_storage+: By default Devise will store the user in session. You can skip storage for http and token auth by appending values to array: :skip_session_storage => [:token_auth] or :skip_session_storage => [:http_auth, :token_auth],by default is set to skip_session_storage => [:http_auth].
Devise::Models::Authenticatable
For your intents and purposes, I would disable session caching using Warden/Devise; I believe it's interfered with certain APIs (don't take my word for it though). Hope that helps.
Upvotes: 6
Related Questions
- Rails devise-jwt session storage
- Rails and Devise Gem: Avoiding store session for certain controller and action
- What does sign_in of devise do
- Stop Devise from clearing session
- Rails 4: Does Devise address session fixation by resetting session after login?
- Rails + Devise - Session Controller explaination
- What does session_store.rb do?
- Devise - how does it set session cookies?
- Devise authentication - what is the standard behaviour of this gem?
- Rails devise session