7

I thought to store the type of the currently logged in user in session[:user_type]. The options are: "admin", "end_user", "demo" (may add more user types in the future).

I wonder if it is safe to do that in Rails 3 application.

Can user change somehow the session[:user_type] from "demo" to "admin" ?

Misha Moroshko
  • 166,356
  • 226
  • 505
  • 746

2 Answers2

5

It depends of your session store.
By default use cookies as a session store so by default it's not safe it's pretty easy to change the content of a cookie.

So you could either :

  • change your session store in config/initializers/session_store.rb and use an activerecord store (so it will be store in the db) or a memcache store. There's also plenty of plugins on github letting you use redis, mongodb, ... as sessions stores
  • store this information in your db and have a before_filter in your application_controller accessing the cookie to get the current user id and getting the whole user object in a variable @current_user
Mike
  • 5,165
  • 6
  • 35
  • 50
  • One question: If the user id is stored in the cookie, can't user try change it as well ? (after several tries he might guess an admin user id) – Misha Moroshko Mar 29 '11 at 11:04
  • 2
    @Misha. You're right, user_id should not be in a cookie, as it can be manipulated. But if you store user_id in session and don't use cookie_store, as Mike's first alternative, you wouldn't have that problem. – oma Mar 29 '11 at 12:33
  • 8
    This is not entirely accurate (read the article linked to by ThoKra below). Rails signs cookies with a digest, and returns nil for session values if the digest doesn't match, so it's not possible for end users to change the session values even if they're stored in a cookie. – Louis Simoneau Nov 26 '13 at 04:42
3

Look in this thread: Rails sessions current practices

Community
  • 1
  • 1
ThoKra
  • 2,959
  • 2
  • 27
  • 38