Misha Moroshko
Reputation: 171321
Rails: Is that safe to store data in "session"?
I thought to store the type of the currently logged in user in session[:user_type]. The options are: "admin", "end_user", "demo" (may add more user types in the future).
I wonder if it is safe to do that in Rails 3 application.
Can user change somehow the session[:user_type] from "demo" to "admin" ?
Upvotes: 8
Views: 5601
Answers (2)
Mike
Reputation: 5193
It depends of your session store.
By default use cookies as a session store so by default it's not safe it's pretty easy to change the content of a cookie.
So you could either :
- change your session store in config/initializers/session_store.rb and use an activerecord store (so it will be store in the db) or a memcache store. There's also plenty of plugins on github letting you use redis, mongodb, ... as sessions stores
- store this information in your db and have a before_filter in your application_controller accessing the cookie to get the current user id and getting the whole user object in a variable @current_user
Upvotes: 4
Related Questions
- Storing values in Rails session
- Rails 5 - Managing Sessions Data
- Rails: How to store data in session?
- Storing User Data in Session - Standard Practice
- Storing sessions in db in rails
- Rails sessions stored in database
- Session in rails and security
- Things to consider while using session in Rails
- Is it okay to store the logged in user in the session in Ruby on Rails?
- Storing Objects in a Session in Rails