Anyone have any "best practices" tips for Rails and sessions? The default session type for Rails3 is still cookie store, right? I used SqlSessionStore for a while and it worked well, but I may move away from that in favor of CookieStore.
Is it still not a good idea to use CookieStore for sensitive info, even with salted info or is that better stored in the DB?
Any tips or your own practices would be welcome. Thanks!
I don't believe anything has changed in how anyone on any platform should handle cookie based sessions. Be skeptical of anything that passes beyond the server's control (cookies, form posts, etc.) Thats a general principle of web development.
As far the encryption, I don't know if anything has changed on that front.
Something to be mindful of with a cookie store is the limit to the amount of data, and the gotcha that this data will be sent on the wire in every request, where as a database store only transfers the id and the data lives on the server.
Use the database for sessions instead of the cookie-based default, which shouldn't be used to store highly confidential information
Create the session table with
rake db:sessions:create
Make sure you also tell rails to use ActiveRecord to manage your sessions too.
initializers/session_store.rb:
Rails.application.config.session_store :active_record_store
config/environment.rb:
config.action_controller.session_store = :active_record_store