I had been using the cookie-based session until recently, then
switched to using active_record_store (db) as it said:
Use the database for sessions instead of the cookie-based default,
which shouldn’t be used to store highly confidential information
in the session_store.rb file.
Everything works fine, but I don’t really understand why it’s still
setting a cookie instead of just using the session db. Is that a
normal behavior when using a database for session management?
I see the difference now - with the session_store db instead of the
cookie, the cookie is a mere reference to the record in the db. So
that makes it more secure than the cookie-based.
But I still have a question about the life of the session record in
the session db. It doesn’t seem to get deleted when the session
ends. Is there a method to do that with this class? Thanks!
you are suppose to deleted manually, you can create a rake task and set
thanks, radhames brito.
I was hoping it was done automagically somehow… , but found a good