Rails - Cookies or Active Record Store for Sessions

Question

I am building an authentication system for my project. What is the recommended approach to store session information (I am just storing the user's id nothing else):

• Cookie Store
• Active Record Store

Also, what are the security concerns for using nested forms and accepts_nested_attributes_for.

Please advise.

Thanks a lot in advance.

Answer 1

There are definitely security concerns when using CookieStore. The main problem is that a CookieStore session can't be killed on the server side. If someone gains access to your cookies, he can easily login as you. Even if you logout and start a new session with a new cookie.

ActiveRecordStore at least gives you the ability to invalidate a session by removing it from the database.

This is a good blog post about it. http://www.bryanrite.com/ruby-on-rails-cookiestore-security-concerns-lifetime-pass/

Answer 2

If you're only storing a single id, definitely go with cookies. AR session will still require an id of some sort in a cookie to associate requests with the session.

Answer 3

Rails defaults to cookie storage so thats probably the way to go. In general cookie store is great especially for high traffic sites. You just shouldn't store any mission critical things in the session (you say you're only storing user ids which is great).

As far as security concerns for using those... I don't think there are too many? Check out railscasts for a great tutorial on using those. Only thing that comes to mind is possibly using attr_accessible to limit the things you can mass-assign to. Also CanCan is a great gem for authorization if you need it.