Where to store session

Rails default is CookieStore

There are definitely security concerns when using CookieStore. The main problem is that a CookieStore session can't be killed on the server side. If someone gains access to your cookies, he can easily login as you. Even if you logout and start a new session with a new cookie.

ActiveRecordStore at least gives you the ability to invalidate a session by removing it from the database.

This is a good blog post about it. https://www.bryanrite.com/ruby-on-rails-cookiestore-security-concerns-lifetime-pass/

https://stackoverflow.com/questions/7014458/rails-cookies-or-active-record-store-for-sessions?rq=1

another example explain session store