Rails, CookieStore vs ActiveRecordStore

Question

Hello, I am currently experiencing a strange issue with our users being logged out. I haven't been able to reproduce it explicitly.

The Rails application is using the default CookieStore.

My initial hypothesis is that somehow the session data within the cookie, or even the cookie itself is being destroyed. This may be either from a user clearing browser data, or something within the system that has not been caught.

As of now, the authentication system appears to be functioning as intended (Authlogic), and we are not experiencing the issue wide-spread in other components of the application.

I am considering using ActiveRecordStore to see if the problem is resolved. My understanding is the session data would be stored within the database, and if a cookie was being removed - the user would not get logged out.

Are there many known pros/cons to using CookieStore vs ActiveRecordStore?

Why is CookieStore the default when creating a Rails application, and not ActiveRecordStore?

Answer 1

I can answer your last two questions.

• You should not use the cookie store if you're storing sensitive data in the session because you want such data to be on the server-side and not on the client.

• The cookie store is the default because Rails is giving you a strong hint that you should not be storing lots of data in the session, by virtue of the fact that cookie storage is limited to 4 KB.