Unformatted text preview: main=.foo.com; Path=/; Expires=Wed, 13-Jan-2021 22:23:01 ; HttpOnly
GMT Topic 2: Sessions
HTTP is a stateless protocol -- it doesn’t require the server to remember anything about a single
user across multiple requests.
This works fine for serving static content, but what about dynamic/customized content? For
example, a user on Amazon would want to see the same items in his “shopping cart” as he
browses from page to page. We need some way to keep track of data from such a user
A common solution to this problem is using browser cookies. (Other solutions: server side
sessions, hidden form variables, adding parameters to the URL.)
Topic 3: Sessions in Rails
Rails has built-in support for keeping track of user sessions.
There are a few storage mechanisms. All of these storage mechanisms use a cookie to store a
unique ID for each session. They differ in where the rest of the data is kept.
● ActionDispatch::Session::CookieStore – Stores everything on the client.
● ActiveRecord::SessionStore – Stores the data in a database using Active Record.
● ActionDispatch::Session::CacheStore – Stores the data in the Rails cache.
If you’d like to change how you’re storing sessions you can take a look and change it in the
The default store is CookieStore, which stores all data in the browser cookie. Note that the data
stored in the cookie isn’t encrypted, so users can read it if they wanted. However, the cookie is
signed so that users can’t modify their cookie -- if they do, Rails will not accept it.
No matter which mechanism you choose, the session will be accessible via the sessions hash.
You might set a user_id in the session hash.
user = User.find_by_email(params[:email])
session[:user_id] = user.id 3 The user can then be retrieved on a subsequent call like so:
User.find(session[:user_id]) if session[:user_id]
Topic 4: Authentication (vs Authorization)
Authentication involves verifying that “this person is who they say they are.” For example, you
may show a p...
View Full Document
This document was uploaded on 03/18/2014 for the course EECS 6.170 at MIT.
- Spring '13