29

The "data" in a Rails session looks like this:

{"warden.user.user.key" => [[1], "long-random-string"]}

1 is the user id. What is the long random string?

Is this something handled/used by Rails, or Devise?

John Bachir
  • 22,495
  • 29
  • 154
  • 227

1 Answers1

56

When you login a user(Devise model name User), a key "warden.user.model_name.key" is created which in your case is "warden.user.user.key".

For example: 

{ warden.user.user.key => [[1], "$2a$10$KItas1NKsvunK0O5w9ioWu"] }

where

1 is the id of the logged in user.

$2a$10$KItas1NKsvunK0O5w9ioWu aka long-random-string is the partial encrypted password of user with id 1.

You can verify this by going on rails console and executing

User.find(1).encrypted_password  
## => "$2a$10$KItas1NKsvunK0O5w9ioWuWp4wbZ4iympYMqVCRmmvTGapktKqdMe"

UPDATE

could you tell me a bit more about this partial encrypted password? why is it partial and not full?

To answer your above question in the comment, Devise stores the partial encrypted_password in the session by invoking authenticatable_salt method. Devise stores the partial encrypted_password as it is more reliable rather than exposing the full encrypted_password in the session(even though its encrypted). That's why the first 30 characters[0,29] of the encrypted_password are extracted and stored in the session.

  # A reliable way to expose the salt regardless of the implementation.
  def authenticatable_salt
    encrypted_password[0,29] if encrypted_password
  end

You can see the code for authenticatable_salt here.

where/when is it used? is it used by Devise, or by Rails, or both?

It is used by Devise for authentication purpose to verify whether or not a particular user is logged in. Ideal use-case would be, how a particular Rails application keeps track of how a user is logged in when a new page is requested. As HTTP requests are stateless, it would be impossible to tell that a given request actually came from that particular user who is logged in? This is why sessions are important as they would allow the application to keep a track of the logged in user from one request to another until the session expires.

Kirti Thorat
  • 52,578
  • 9
  • 101
  • 108
  • thank you! could you tell me a bit more about this partial encrypted password? why is it partial and not full? where/when is it used? is it used by Devise, or by Rails, or both? – John Bachir May 16 '14 at 15:22
  • (or feel free to direct me to somewhere to read about this -- but i couldn't find a good explainer anywhere) – John Bachir May 16 '14 at 15:22
  • 1
    @JohnBachir Please read my updated answer. Hope it helps you to understand. – Kirti Thorat May 16 '14 at 20:06
  • 1
    epic answer-- thanks! points! i'm still a little unclear what the purpose is, but now it's easy for me to explore it myself. (i don't understand how this is related to a salt. salts are typically and strings stored with a user used to perform a 1-way hash and to make a stolen hash useless for guessing the plaintext pw). – John Bachir May 16 '14 at 22:07
  • 1
    there's some extra insight at http://www.jonathanleighton.com/articles/2013/revocable-sessions-with-devise/ about the salt being used to invalidate existing sessions when the password is changed: the new password's salt will be different to the one stored in the session, so the session is rejected. More about the string's content at http://stackoverflow.com/a/6833165/395180 – nruth Aug 01 '16 at 17:12