Sessions and cookies in Ruby on Rails  15


An important issue rarely talked about with little documentation on Internet. So, here we go ... a guide to session and cookies in Rails. Session and cookies are an integral part of any good web application and rails has a good support for them. Continuing with our DRY approach, this guide contains link to cool articles with good description wherever necessary.

Table of Contents

  1. Introduction
  2. Sessions
    1. Session in rails
    2. Configure your sessions
    3. Storage options
    4. Session storage limitations
    5. Session and Security
    6. HowTo
      1. Implement session expiration
      2. Delete stale sessions
      3. Find out active users
      4. Access session data using session_id
    7. Miscellaneous
  3. Cookies
    1. Cookie on rails
    2. cookies vs. request.cookies
    3. CookieJar
    4. Miscellaneous

Introduction

HTTP is a stateless protocol which creates problem in uniquely tracking a visitor to a web application. The process of managing the state between browser and server is through the use of session IDs which uniquely identifies a client browser.

Session IDs can be stored and communicated in one of the following ways :
  1. Embedded in URL
  2. In form field
  3. Using cookies.

Information stored between multiple client browser request is called Session Data. Session data for each visitor can be stored at the server or in cookies. Upon client request to server, session data is extracted from session storage using session ID send by client browser. A good common example for session data is user information for authentication.

In the present times, its hard to imagine a good web application not using Sessions.

A wonderful article on implementation techniques of Session ID.
http://www.technicalinfo.net/papers/WebBasedSessionManagement.html

- Sessions -

Session in rails

Session in rails is a hash-like structure which allows you to store data across requests. Sessions can hold any kind of data object (with some limitations) because they store data using Data Marshalling (aka Data Serialization or Data Deflating).

Rails way of implementing session:
  1. session_id is a 32 hex character MD5 hash based upon time, random number and constant string. It is stored in cookie at client browser. Rails provides transparent support for session_id.
  2. Session storage discussed below.

Remember, you can insert or access values from session similar to hash ... but session is NOT a hash. Most of the other hash methods will not work with sessions.

Working with session in rails
http://wiki.rubyonrails.org/rails/pages/HowtoWorkWithSessions
Data Serialization in Ruby
http://en.wikipedia.org/wiki/Serialization#Ruby
CGI::Session creates a new instance of session everytime a new user visits your site.
http://corelib.rubyonrails.org/classes/CGI/Session.html

Configure your sessions

Configure key, prefix, expiry and domain of your session.
http://wiki.rubyonrails.org/rails/pages/HowtoChangeSessionOptions
Switch on/off session at controller and action level.
http://errtheblog.com/post/24
session_path and session_secure
http://corelib.rubyonrails.org/classes/CGI/Session.html

Refer to next section on options for session storage.

Note: By default session_id is stored as key in cookies. For multiple rails application from same domain its a good practice to set 'session_key' to avoid conflicts.

Storage options

Ruby on Rails provides you with many session storage option.
  1. PStore
  2. ActiveRecordStore
  3. CookieStore
  4. DRbStore
  5. FileStore
  6. MemoryStore

CookieStore is available only in edge rails. PStore is the default option for stable release, whereas its CookieStore as default for edge rails.

Good description on session stores.
http://errtheblog.com/post/24
http://wiki.rubyonrails.org/rails/pages/HowtoChangeSessionStore
Cookie-based session storage
http://ryandaigle.com/articles/2007/2/21/what-s-new-in-edge-rails-cookie-based-sessions
http://www.caboo.se/articles/2007/2/21/new-controversial-default-rails-session-storage-cookies
Improve performance : use SQLSessionStore instead of ActiveRecordStore
http://railsexpress.de/blog/articles/2005/12/19/roll-your-own-sql-session-store
http://agilewebdevelopment.com/plugins/sql_session_store
Comparison of session storage option
http://scott.elitists.net/sessions.html

Session storage limitations

Following objects cannot be stored in session storage:
  1. Bindings
  2. Singleton
  3. I/O objects
  4. Procedure objects
Do not store model objects in session
  1. Change in model objects saved in session would also change table row corresponding to model object.
  2. Breaks validations.
  3. On change in class definition, model objects in session will go out of sync.
    http://railscasts.com/episodes/13 http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-talk/268624
  4. A general belief is marshalling/unmarshalling of session on each request is expensive. This might be wrong - read Eric Hodel's comment at :
    http://www.caboo.se/articles/2007/2/21/new-controversial-...-cookies#comment-1331

Incase you are storing model objects in session, upon change in class definition you will need to delete sessions and then restart your applications.

More limitations :
  1. Store only user-specific data. Session data will become stale if other users can modify/update it. For e.g. if you store blog comments in session then session of active users need to be explicitly updated when new comment in made.
  2. Critical information should be stored in database and not sessions as you might loose information if client cookie is lost/deleted. For e.g. user purchase information on a shopping site.
  3. Session are not meant for storing massive objects or tons of information, use your application database instead.

Session and Security

A detailed look into security issues concerning sessions. Lookout into sections named as 'Session Hijacking' and 'Common Failings'
http://www.technicalinfo.net/papers/WebBasedSessionManagement.html
Minimize session attacks
http://www.quarkruby.com/2007/9/20/ruby-on-rails-security-guide#sessions
Using XSS attacks a hacker can steal user's session-id ... be careful.
http://www.quarkruby.com/2007/9/20/ruby-on-rails-security-guide#xss

HowTo

Implement session expiration

A good description
http://wiki.rubyonrails.org/rails/pages/HowtoChangeSessionOptions
A concise version
http://www.quarkruby.com/2007/9/20/ruby-on-rails-security-guide#sessions

Delete stale sessions

Every session created in session storage (ActiveReocord, PStore ...) is not deleted upon session expiration or browser close by client. Which means you will have to run a cron job to delete old sessions else your session storage will shoot up in size.

As a good practice disable sessions for those part of your web application which does not require sessions. This will avoid creation and storing unnecessary sessions in your storage.

Find out active users

http://matt-beedle.com/2006/12/13/rails-how-to-find-out-who-is-online/

If you want to find no. of active users, simply use updated_at column of sessions table.

Access session data using session_id

This might be helpful if another application in same domain wants to access your session.
http://webonrails.com/2006/12/08/accessing-session-data-using-session_id/

Miscellaneous

  1. Use model method to access row in sessions table corresponding to current session. For e.g. session.model.id or session.model.updated_at
  2. Smart plugin for better session experience in rails specially for session expiration.
    http://agilewebdevelopment.com/plugins/limited_sessions
  3. Flash messages to communicate between actions are stored in sessions. So, if you switch off your sessions, flash messages will stop working.
  4. Do not let bots make unnecessary sessions
    http://jroller.com/obie/entry/wrestling_with_the_bots http://gurge.com/blog/2007/01/08/turn-off-rails-sessions-for-robots/
  5. Do not write unchanged sessions back to database -- improves performance
    http://pastie.caboo.se/53086
  6. Non-cookie session :

    If the client has cookies disabled, the session_id must be included as a parameter of all requests sent by the client to the server. The CGI::Session class will transparently add the session_id as a hidden input field to all forms generated. No built-in support is provided for other mechanisms, such as URL re-writing.

    If you care about browsers which do not support cookies, checkout the following plugins (disclaimer : I have never used these plugins :P )
    Hidden Field Session : http://agilewebdevelopment.com/plugins/hidden_field_session
    No cookie session support : http://www.edgesoft.ca/blog/read/2

    Beware, session information in URL might be dangerous. Someone might post a link to a product on a board and everyone following this link is logged with all user data available.

  7. PStore in Windows : Marshal Data Too Short Error
    http://wiki.rubyonrails.org/rails/pages/MarshalDataTooShort

- Cookies -

Cookie on rails

Cookies are stored at client browser and is sent back to server on each request. Rails provides a hash-like structure ActionController#cookies in controller to manage cookies. Session in rails is implemented using cookies.

Description, options and example
http://api.rubyonrails.com/classes/ActionController/Cookies.html
Note :
  1. Only string can be stored in cookies.
  2. session_id is by default stored in cookies at client browser.

cookies vs. request.cookies

Both cookies and request.cookies are used to access cookie information in your rails application. They are very different in their behavior which can be daunting for beginners. Examples below explains the basic difference between them. 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

## cookies and request.cookies are different
cookies.class #=> ActionController::CookieJar
request.cookies #=> Hash

## how to access value from cookies and request.cookies
# First set some value in cookies
cookies[:key] = "value"

cookies["key"] #=> "value"
cookies[:key] #=> "value"
# both the output are of type String

request.cookies["key"] #=> "value"
request.cookies["key"].class #=> CGI::Cookie

request.cookies[:key].empty? #=> true
request.cookies[:key].class #=> Array

CookieJar

cookies in rails is of type CookieJar. CookieJar manages incoming and outgoing cookie information and works as follows. 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

def index
  cookies[:key] = "val"
  puts cookies[:key]
  redirect_to :second_index
end

def second_index
  cookies[:key] = "newval"
  puts cookies[:key]
end

## Output :
## Open index page for the first time
# nil
# val

## Open index page the second time
# newval
# val
So,
cookies[] gives you value from the incoming cookie.
cookies[]= sets value in the outgoing cookie.

Reference :
http://www.40withegg.com/2007/1/5/rails-cookies-mangles-the-hash-interface/

Miscellaneous

Checkout cookie based session store explained above.

Testing cookies
http://www.robbyonrails.com/articles/2006/08/28/testing-cookies-in-ruby-on-rails
Open ticket - making CookieJar behave like a Hash.
http://dev.rubyonrails.org/ticket/9459
Performance and cookies : a good read
http://yuiblog.com/blog/2007/03/01/performance-research-part-3/
Filed in guides ruby on rails
Tagged as sessions 
Posted on 21 October
15 comment Bookmark   AddThis Social Bookmark Button Updated on 24 October
Comments

Leave a response

  1. jeffOctober 23, 2007 @ 08:31 PM

    shouldn’t the output of the cookies experiment be this?

    1. Output :
    2. Open index page for the first time
    1. nil
    2. val
    1. Open index page the second time
    1. newval
    2. val
  2. QuarkOctober 24, 2007 @ 02:59 AM

    @jeff

    oops! ... was in a hurry to post this article.

    thanks for pointing it out :)

    Ticket #1(defect) closed by quark :D

  3. ManikOctober 25, 2007 @ 10:44 AM

    Nice exhaustive post!

    Thanks for all the info.

  4. Greg WillitsNovember 03, 2007 @ 05:05 AM

    Lots of details. Thanks.

    How do you go about forcing a rails session cookie to be deleted? On a logout page, the cookie should be updated with a negative expiration time so that a redirect off of the logout page result in the cookie being deleted. I haven’t found that documented anywhere.

    Likewise the data column of the session should be deleted when a session is terminated, but I don’t see Rails doing that.

  5. QuarkNovember 05, 2007 @ 03:09 PM

    Hi @Greg,

    Try to use reset_session on user logout. It clears out the current user session and initialize a new session object.

    You are right, on session termination, rails does not deletes the corresponding row from the sessions table. Running a cron job is a good solution. Checkout section ‘Delete stale session’ of this article http://www.quarkruby.com/2007/10/21/sessions-and-cookies-in-ruby-on-rails#sstale

  6. Michael HendrickxNovember 09, 2007 @ 08:41 PM

    Nice article, thank you!

    One question though, how do you access the session ID itself? I’m currently using request.cookies[“_appname_session_id”], but it comes with a helluva lot of white spaces.

    I tried casting it in a string, but it gives me the entire cookie contents then.. :(

    Could you help me out please? Thank you and keep up the great work!

    m1ke

  7. Song, ChihyungDecember 18, 2007 @ 09:08 AM

    Hi @Michael, thanks for a good article!

  8. QuarkDecember 18, 2007 @ 10:13 AM

    Hi @Michael,

    session.session_id will give you the session_id.

    request.cookies[“_appname_session_id”] returns session_id in a object of type CGI::Cookie and .to_s on it returns “_appname_session_id=49d8…..f227; path=” this is weird.”

  9. justinJanuary 10, 2008 @ 01:50 AM

    Quark, Would you know how to send session data in GET or how to open the right session data in a controller? 

    I'm trying to use FancyUpload (http://digitarald.de/project/fancyupload/) to allow my users to upload more than one file at a time.  But it requires sending cookie data with GET.  I've figured out how to read the session files, but they are named differently than the cookie ID.

    I’ve been looking in CGI, but to no avail.

  10. QuarkJanuary 11, 2008 @ 06:41 AM

    @justin,

    Rails automatically gets the right session for you. Session-id in present in the cookie, which is a part of every request. So you never need to care about ‘cookies’, ‘session-id’ , etc. Just use session object in your controller.

    If there is something particular do let me know.

    - Quark

  11. NJ - NYApril 12, 2008 @ 05:18 PM

    thanks

  12. ericApril 22, 2008 @ 06:54 PM

    how can I have multiple rails apps on my intranet use sessions for single sign on?

  13. kamalaMay 12, 2008 @ 05:45 AM

    LKL;P;KL

  14. kamalaMay 12, 2008 @ 05:47 AM

    IT IS GOOD

Comment