Where to store session
Last updated
Last updated
Rails default is CookieStore
There are definitely security concerns when using CookieStore. The main problem is that a CookieStore session can't be killed on the server side. If someone gains access to your cookies, he can easily login as you. Even if you logout and start a new session with a new cookie.
ActiveRecordStore at least gives you the ability to invalidate a session by removing it from the database.
This is a good blog post about it.