Where to store session
Last updated
Last updated
Rails default is CookieStore
There are definitely security concerns when using CookieStore. The main problem is that a CookieStore session can't be killed on the server side. If someone gains access to your cookies, he can easily login as you. Even if you logout and start a new session with a new cookie.
ActiveRecordStore at least gives you the ability to invalidate a session by removing it from the database.
This is a good blog post about it. https://www.bryanrite.com/ruby-on-rails-cookiestore-security-concerns-lifetime-pass/
https://stackoverflow.com/questions/7014458/rails-cookies-or-active-record-store-for-sessions?rq=1