Don’t Abuse the Session

June 23rd, 2008 by John Trupiano

Never, ever, ever, ever, ever store an ActiveRecord model in the session. Just store the id and load it into an instance variable from the database on every request. Why? A couple reasons…

First, you’re susceptible to staleness. Consider this. User A logs in, and you store their user object in the session. Administrator X logs in and deactivates User A’s account. User A can still muck around your site because you’re reading the user data from the session, which has stale data.

Second, the default in Rails these days is to store your session data in cookies (honestly, I don’t know why…..it only clutters up your requests, forcing the session to be passed back and forth on _every_ request, and opening up the possibility that the encryption key could be brute-forced……this is a rant for another day). You just don’t want to be storing whole ActiveRecord objects in the session. They’re big and clunky. The extra database call to reload the object in a before_filter on every request is practically trivial, and you’ll keep the “tubes” less clogged.

This practice is certainly not rails-specific, and should be adopted no matter the server-side technology.

This entry was posted on Monday, June 23rd, 2008 at 1:24 pm and is filed under John Trupiano, Programming, Ruby on Rails. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

John co-founded SmartLogic Solutions with Yair Flicker in May 2005. He is very actively involved with the Ruby and Rails communities, as well as the Baltimore/DC tech and business communities. Check out his GitHub Projects or follow @jtrupiano on twitter.

John Trupiano's posts

Rack::Rewrite 0.2.1 Released Jan 06 2010
Why We’re Excited about the Maryland Tech Crawl Dec 10 2009
Timecop 0.3.4 Released Dec 07 2009
Rack::Rewrite + Google Analytics Makes Site Transitions Seamless Nov 24 2009
Rack::Rewrite for Site Maintenance and Downtime Nov 16 2009
Timecop 0.3.0 Released Sep 20 2009
Shell Script to Upgrade Ruby Enterprise Edition while Maintaining Directory Naming Sanity Jun 10 2009
SmartLogic Wants to Clean Up Twitter, Introduces ShouldIRT.com May 05 2009
Integrity CI on Passenger 2.2.2 with Ruby Enterprise Edition on Ubuntu 8.04 Apr 26 2009
Reintroducing sanitize_email | Work with Production Email without Fear Apr 25 2009
environmentalist 0.2.3 released — supports rails 2.3.2 Apr 04 2009
Recap of the First Baltimore Angels Meetup Mar 05 2009
Rails 2.3 Nested Object Forms: I’m not Crazy about Them Feb 24 2009
TATFT: Test Private Methods in C++ Feb 16 2009
AASM + interning empty string error Feb 13 2009
Timecop 0.2.0 Released: Freeze and Rebase Time in Ruby Dec 24 2008
Timecop: Freeze Time in Ruby for Better Testing Nov 19 2008
Benchmark Ruby Code with R, rsruby and better-benchmark Oct 08 2008
Ruby: Patch to fix broken YAML.dump for multi-line strings (String#to_yaml) Sep 04 2008
Introducing environmentalist: an intuitive, environment-focused config structure for your rails applications Aug 04 2008
Problems with restful_authentication Plugin and Internet Explorer Cookies Jul 11 2008
I can’t upgrade RubyGems from 1.1.1 to 1.2.0 on Ubuntu Jul 07 2008
Rails 2.1 broke my mysql foreign keys! Jun 24 2008
Don’t Abuse the Session Jun 23 2008
Subversion Timestamps + Capistrano finalize_update Jun 07 2008
Deploying Rails Apps with Capistrano without root or sudo Privileges Jun 06 2008
Better setup for environments in Rails Jun 02 2008

Blog

Don’t Abuse the Session

Related Posts:

Leave a Reply

John Trupiano's posts