Rails app with different session store for each model

Ady Rosen

I have two models doing login (Devise) in my Rails app - Admin and User, both currently use the default cookie store for session data.

I want to be able to identify an Admin session in AJAX requests coming in from the admin, for authorization of these API calls. I plan to do this by setting an encrypted cookie upon Admin login. When the AJAX API call comes in, I open the cookie, grab some identification from it and look for a matching existing Admin session in the store.

As I understand it, to do this, I must have session information stored in the back-end, either by DB or memcache stores.

I expect to have millions of sessions of Users and just a few sessions of Admin at any given time. For this reason, I don't want to just move all session information to a DB or memory, since this is a heap of unneeded data to store. I only want to store/look at Admin session data.

A solution will be creating some custom model which enumerates Admin user sessions, and is maintained by the app. This is simple enough but requires for instance, a way to clean up sessions when they die without signing out. Essentially this is an attempt to duplicate Rails's session store mechanism, which comes with all the problems of storing and maintaining sessions. Instinct tells me to avoid this solution. Am I correct to avoid it?

If so, then my question is, is there a way to configure multiple session stores in a Rails app, a different store for every logged in Model? In this case, have Admin sessions stored in memory, and User sessions stored in cookie. If not, I'll greatly appreciate any comments and suggestions.

Thanks!

max

You may be thinking about it wrong.

Session are a low level mechanism that you build your authentication on top of. Its just a cookie containing an identifier (a random hash) which is linked to a session storage (by default cookies). This is a simple mechanism to add persistence to a stateless protocol.

Confusingly we also use the concept "sessions" when talking about authentication - for example logging a user in is often referred to as "creating a session". This is complete poppycock as we are just storing a claim (often a user id) in the session that was created when the user first visits the application.

If so, then my question is, is there a way to configure multiple session stores in a Rails app, a different store for every logged in Model?

No. Thats a chicken-vs-egg conundrum. In order to know which session storage to use you would need to access the session storage to know which session storage to use... you get the picture.

While you could create your own session storage mechanism that works differently does this is most likely a complete waste of time. Premature optimization is the root of all evil.

As I understand it, to do this, I must have session information stored in the back-end, either by DB or memcache stores.

Not quite true. You can perfectly well build an authentication solution with just the cookie storage. In that case Rails just keeps a record on the server of which session identifiers are valid.

The main reason you would need to store additional session information in the database or memcached is if you need to store more data in the session than the 4093 bytes allowed by a cookie. Cookie storage is after all much faster and does the job fine 99% of the time. YAGNI.

You should also recognize that not everything needs to be saved in the session storage. For example the Devise trackable module saves log in / out timestamps on the user table as part of the process of authenticating a user. This is "session information" yet has nothing to do with session storage.

I want to be able to identify an Admin session in AJAX requests coming in from the admin, for authorization of these API calls.

There are many ways to use different authentication logic for different parts of the application such as Warden strategies. For an API you may want to consider using stateless (and sessionless) authentication such as JWT.

Collected from the Internet

Please contact [email protected] to delete if infringement.

edited at
0

Comments

0 comments
Login to comment

Related

Store Join Model Data in Rails

Is there a way to specify a different session store with Tomcat?

Rails session data - Store in a hash

Why is session store initializer removed in Rails 5.1.1

Same Model with different columns Rails

Rails - detach model from database session

Different app icon for each configuration

Different registration model for each category Rails

Keras saved model predicting different values on different session

Simple Node/Express app not recognizing Session store

Where to store user session in Sapper app

Django model store information for each user

Windows Store app - Grid app with different items

Rails ActiveRecord store and new session

Rails model validation in different context

Rails: How to store data in session?

Is a Rails Model a normal ruby class that can be used to store state between different controller actions? No active-record and no-database at all

Why Session is not accessible in Rails model

Can a Rails app and engine on different base domains share session?

Rails session store stopped working correctly

Creating a Model in Rails within the controller of a different Model

Accessing different model elements in Rails

Rails twitter-api get acces token without "sign-in" and store it in a different model than user

QuickBlox Session create: Unexpected Signature in Rails App

How to store for each loop values in different variables

Loading Tensorflow model in different session

where does ruby on rails app stores session?

is there a way in siddhi to store app session data?

How to find a session record in the database using the cookie value in an Rails app using activerecord activerecord-session_store