Session and Database

dubstep · May 26, 2011, 3:39pm

Hello All,

I would like to have my session be the database stored instead of
browser.
Please, could someone explain to me how to do this?

Regards,
Emeka

*Satajanus Nig. Ltd

janus_way · May 26, 2011, 5:12pm

On 26 May 2011, at 15:38, Emeka wrote:

I would like to have my session be the database stored instead of
browser. Please, could someone explain to me how to do this?

However, there’s very little to no reason why you would change to the
ActiveRecordStore. The session should not even contain sensitive data
to start off with, that’s not what it’s made for. It’s also not meant
to be used as a garbage can for heaps of data. If that’s the reason
why you want to switch to the ActiveRecordStore, then you should stop
for a second and rethink what you are putting in the session and put
it somewhere else.

Also, keep in mind that when you switch to the ActiveRecordStore:

You will need to clean the expired sessions on regular intervals
yourself
You will be hitting the database a lot more often on every request,
a waste of server resources in my opinion

Best regards

Peter De Berdt

janus_way · May 26, 2011, 5:27pm

And if it’s for a multi-server web farm, you’re way better off with
sticky sessions on the load balancer than a shared persistent session
store. And if you can’t afford to ever lose any of the data you’re
currently saving in session even in the rare event of server fail over,
you should be taking the performance hit and associating that to a
persistent user profile in the database.

Best Wishes,
Peter

janus_way · May 26, 2011, 6:54pm

Thanks you all, I have repented. I am a new being now =)

On Thu, May 26, 2011 at 4:52 PM, Alpha B. [email protected]
wrote:

Yourapp::Application.config.session_store :cookie_store

–

–
*Satajanus Nig. Ltd

janus_way · May 26, 2011, 7:03pm

On May 26, 4:08pm, Peter De Berdt [email protected] wrote:

to be used as a garbage can for heaps of data. If that’s the reason
why you want to switch to the ActiveRecordStore, then you should stop
for a second and rethink what you are putting in the session and put
it somewhere else.

The one issue i have occasionally had with cookie store is that in the
presence of multiple concurrent requests altering the session then
with the cookie store these requests tend to destroy each others
changes to the session whereas with the database you can at least make
a half decent attempt to merge changes (when the requests are changing
different keys in the session).

Fred

janus_way · May 26, 2011, 8:18pm

On 26 May 2011 16:52, Alpha B. [email protected] wrote:

Don’t be afraid to use cookies! When
implemented properly, you should have nothing to fear.

Apart from the law in Europe:

janus_way · May 26, 2011, 5:52pm

There’s absolutely no reason that I can think of for you to store
sessions in the database. As was stated previously, you shouldn’t store
any personal data in the session. Don’t be afraid to use cookies! When
implemented properly, you should have nothing to fear.

Here’s an example you can do with your session_store.rb file. I even
added a gist so you can see the formatting better.

/config/session_store.rb

Yourapp::Application.config.session_store :cookie_store

Yourapp::Application.config.session = {
:key => ‘_yourapp_session’, # name of cookie that
stores the data
:domain => nil, # you can share between
subdomains here: ‘.subdomain.com’
:expire_after => 1.month, # expire cookie
:secure => false, # for https its true
:httponly => true, # a measure against XSS
attacks, prevent client side scripts from accessing the cookie

:secret => ‘YOUR SECRET GOES HERE’ # RUN RAKE SECRET to
generate secret
}

You can read it better by going to this gist:

gist.github.com

https://gist.github.com/elricstorm/993390

session_store.rb

Yourapp::Application.config.session_store :cookie_store

Yourapp::Application.config.session = {
  :key          => '_yourapp_session',          # name of cookie that stores the data
  :domain       => nil,                         # you can share between subdomains here: '.subdomain.com'
  :expire_after => 1.month,                     # expire cookie
  :secure       => false,                       # for https its true
  :httponly     => true,                        # a measure against XSS attacks, prevent client side scripts from accessing the cookie

  :secret      => 'YOUR SECRET GOES HERE'       # RUN RAKE SECRET to generate secret

This file has been truncated. show original

Hope that helps.

janus_way · May 26, 2011, 8:26pm

On May 26, 2011, at 2:17 PM, Michael P. wrote:

On 26 May 2011 16:52, Alpha B. [email protected] wrote:

Don’t be afraid to use cookies! When
implemented properly, you should have nothing to fear.

Apart from the law in Europe:
EU law restricting website cookies comes into effect - BBC News

Depends. From the description on that site: “Cookies are designed to
gather information about users, and these rules relate to code
designed to help target advertisements - specifically when the
information gathered is unrelated to the website being browsed.”

Sounds to me (IANAL, not even in Europe) as though the basic Rails
cookie store would be completely kosher here.

Walter

Session and Database

Regards, Emeka

Regards,
Emeka