![]() Whether you’re storing sessions in the database, in Memcached, in Redis, or wherever else, they mostly follow this same process. Then, it returns current_user_id out of the data attribute of that record. Your app grabs the session ID out of your cookie, and finds its record in the sessions table. The browser sends that same cookie to your app, using the Cookie: header. It’ll store ( Base64-encoded) in the data attribute of that record.Īnd it’ll return the generated session ID, 09497d46978bf6f32265fefb5cc52264, to the browser using Set-Cookie. ![]() Rails will create a new record in your sessions table with a random session ID (say, 09497d46978bf6f32265fefb5cc52264). When you call session = 1 in your app, and a session doesn’t already exist: If you were keeping track of your sessions with ActiveRecord: But it’s easiest to think about using a real example. If you’re careful, these aren’t big problems.īut when you can’t store your session data inside a cookie for one of these reasons, Rails has a few other places to keep your sessions: Alternative session storesĪll of the session stores that aren’t the cookie session store work in pretty much the same way. Storing the wrong kind of data inside a cookie can be insecure. When this includes things like current_user_id, anyone can become whichever user they want! If you accidentally expose your secret_key_base, your users can change the data you’ve put inside your cookie. This is usually enough, but sometimes it’s not.Ĭookies are sent along with every request you make.īig cookies mean bigger requests and responses, which mean slower websites. You can only store about 4kb of data in a cookie. If this was all there was, there’d be no reason to distinguish sessions from cookies.īut cookies aren’t always the right answer for session data: Your Rails app puts some data into the cookie, the same data comes out of the cookie. But besides that, it works the way you’d expect. Rails does some work with the cookie to make it more secure. What’s the difference between that and a session?īy default, in Rails, there isn’t much of a difference. You put data in during one request, and you get that same data in the next. What does this have to do with a session? Your app set it, so your app can read it. Your Rails app is in charge of figuring out what a cookie means. Because the information inside the cookie isn’t meant for the user. > Cookie: NID=67=J2xeyegolV0SSneukSOANOCoeuDQs7G1FDAK2j-nVyaoejz-4K6aouUQtyp5B_rK3Z7G-EwTIzDm7XQ3_ZUVNnFmlGfIHMAnZQNd4kM89VLzCsM0fZnr_N8-idASAfBEdS expires=Wed, 1 05:44:42 GMT path=/ domain=. HttpOnly And until the cookie expires, every time you make a request, your browser will send the cookies back to the server. Set-Cookie: NID=67=J2xeyegolV0SSneukSOANOCoeuDQs7G1FDAK2j-nVyaoejz-4K6aouUQtyp5B_rK3Z7G-EwTIzDm7XQ3_ZUVNnFmlGfIHMAnZQNd4kM89VLzCsM0fZnr_N8-idASAfBEdS expires=Wed, 1 05:44:42 GMT path=/ domain=. HttpOnly When you request a webpage, the server can set a cookie when it responds back: ~ jweiss$ curl -I | grep Set-Cookie But it takes coordination between your user’s browser and your Rails app to make everything connect up. endĪnd read it in another: app/controllers/users_controller.rb def index current_user = User. You can set some data in a controller action: app/controllers/sessions_controller.rb def create #. What is a session? How does Rails know to show the right data to the right person? And how do you decide where you keep your session data? What is a session?Ī session is just a place to store data during one request that you can read during later requests. Little bits of data you want to keep around for more than one request. Session is the perfect place to put this kind of data. Maybe it’s a user id, or a preferred language, or whether they always want to see the desktop version of your site on their iPad. But most apps need to be able to store some data about a user. That might be fine for a mostly static site. What if your Rails app couldn’t tell who was visiting it? If you had no idea that the same person requested two different pages? If all the data you stored vanished as soon as you returned a response?
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |