Rails, CookieStore vs ActiveRecordStore

Question

I am currently experiencing a strange issue with our users being logged out. I haven't been able to reproduce it explicitly.

The Rails application is using the default CookieStore.

My initial hypothesis is that somehow the session data within the cookie, or even the cookie itself is being destroyed. This may be either from a user clearing browser data, or something within the system that has not been caught.

As of now, the authentication system appears to be functioning as intended (Authlogic), and we are not experiencing the issue wide-spread in other components of the application.

I am considering using ActiveRecordStore to see if the problem is resolved. My understanding is the session data would be stored within the database, and if a cookie was being removed - the user would not get logged out.

Are there many known pros/cons to using CookieStore vs ActiveRecordStore?

Why is CookieStore the default when creating a Rails application, and not ActiveRecordStore?

Answer 1

I think CookieStore is the default because it is simple. It doesn't require a database table.

CookieStore is not as secure as ActiveRecordStore. With CookieStore, intercepted cookies will give access to a valid session forever, even if you create a new one. With ActiveRecordStore, you can invalidate a session by removing it from the database.

See this blog post: http://www.bryanrite.com/ruby-on-rails-cookiestore-security-concerns-lifetime-pass/

Answer 2

I can answer your last two questions.

• You should not use the cookie store if you're storing sensitive data in the session because you want such data to be on the server-side and not on the client.

• The cookie store is the default because Rails is giving you a strong hint that you should not be storing lots of data in the session, by virtue of the fact that cookie storage is limited to 4 KB.