How does rails/devise handle cookie sessions?

Question

I\'d like to understand what\'s really going on when signing in a user with rails/devise.

I\'ve created a minimal rails app, installed devise and created a Use

Answer 1

The default rails session storage is CookieStore. This means that all the session data is stored in a cookie rather than in the database anywhere. In Rails 3.2 the cookie is signed to prevent tampering, but not encrypted. In Rails 4 it's generally encrypted by default. The fact that it's in a cookie is how it persists across restarts of your server. It also means you can only store 4k of data and you wouldn't want to store anything sensitive in there in Rails < 4. It's best to keep a minimum of data in the session anyway.

You can also opt for storing the session data in the database and only having a session id in a cookie.

This answer I gave the other week has some extra info that might be useful:

Sessions made sense to me before I started reading about them online

Also, the rails api doc for CookieStore gives a nice summary:

http://api.rubyonrails.org/classes/ActionDispatch/Session/CookieStore.html