Are all session data preserved in client cookie after logout in rails 4?

Question

We used to store session with action record and now is moving it to cookies store in Rails 4. We understand that with cookies store, all session data is stored in client side cookies besides secret token and plan to only store ids in session. Here are a few questions:

1. After a user logs out, are all session data (for example, user_id and user_group_id) still preserved in client cookies for next login?
2. If a user is assigned a new user_group_id for example, will the old user_group_id stored in client cookies still prevail and blow off the app with user next login? There are online posts talking about app blow-off when session object gets changed on server but can not be updated accordingly on client side (unless change of secret token).
3. Besides to 4kb size limit and ids (session) only with cookie store, are there other things (or disadvantage) to consider when moving session from db to cookies store?

Answer 1

Here is the low down on cookie store. First off, everything in a cookie is there permanently once it's set or until the user deletes the cookie manually somehow. This means, that if you set user_id and user_group_id, it's there for good in the cookie until updated or deleted. This is different from a session since the session is like ram on a computer, once the browser is closed, the session closes with it as well as all of it's data.

1. So, this means that when you log out your user, you need to specify that their cookie empties anything you don't wan't it to have. When your user logs in, you set anything that you want the user to have while they are logged in. So, since the session and cookie are separate things completely, they never interact together unless you choose to make them. So your session will never dump its self into the cookie store unless you make it do that.

2. Every time your users go to your site, you could have a single handshake that makes sure that the cookie matches the db if necessary. Otherwise, you could have differing data what only gets updated on login or what not and without the handshake, the user would have to keep logging in to make sure they are still valid which defeats the purpose of having a cookie in the first place.

3. The downside of client side cookie storage is security concerns. Depending on how you use the cookie to store data, a person could hijack somebodies cookie on your site and pretend they are them. This can be avoided by careful design, but just assume that whatever is in your cookie store is fair game to everybody so use it carefully and for only non secret data.

Hope this helps!