Re: LoginEngine, Sessions and users

Thanks for responding, Gwen…

I’m not sure if this actually answers your questions (or how accurate
this is :frowning: – I’m still very much grappling with all this!), so someone
else may come along and correct this :). But this is what I think I’ve
figured out:

session[:user] is the array which holds all of the current user's

session data
session[:user].id, by extension, is one particular element in that array
session[:user_id] does not appear to be a valid reference.

The concern I’ve heard reference to is that sessions are stored
separately from the objects they may have references to. So if the
session has a reference to an instance of class User in
session[:user], then that User instance will get stored in the session
store. But when the session is rehydrated, the actual User instance
in the database may be different than the one in the newly restored
session. There is an potential consistency problem.

I’ve heard people say that you should reference session[:user].id and
load the User instance from the database instead of working with and
trusting any data in session[:user].

So, my question is, does the LoginEngine do anything to help us with
these best practices? Assuming this issue appears to be well-known, I
was wondering if perhaps the LoginEngine has automatically loaded the
current user from the database by the time our controller action is
invoked…or if we have to do this ourselves…

If the latter, it would seem like that is something that could be put
into the LoginEngine itself.

LoginEngine provides ‘current_user’ which is a helper method available
to all views, which returns the current user from the session.

That would seem to be the perfect place to do it. So the current_user
method could refresh the user in the session…??

Alternatively, perhaps session[:user] shouldn’t be in the session at
all, to prevent users from inadvertently accessing inconsistent data.
Repalce it with session[:user_id] and get people to access the User
object via the current_user method. It would have the side benefit of
reducing the size of the session store, too.

What mistakes am I making?

Thanks,
Brad