8
From Rails 4.0, was eliminated the Activerecord Session Store, that kept session variables in the database, for "performance issues." But the functionality continues to work through a Gem. Today Rails uses the Cookie Session Store.
Activerecord Session store - The Activerecord Session store is extracted to a Separate Gem. Storing Sessions in SQL is costly. Instead, use cookie Sessions, memcache Sessions, or a custom Session store.
Source: http://edgeguides.rubyonrails.org/4_0_release_notes.html
Translated:
Activerecord Session store - The Activerecord Session store has been transferred to a separate Gem. Storing sessions in the database is costly [in terms of performance]. Instead, use cookie-based sessions, memcache Sessions, or a Session store customized.
- Gem: https://github.com/rails/activerecord-session_store
- Commit to Rails/Rails: https://github.com/rails/rails/commit/0ffe19056c8e8b2f9ae9d487b896cad2ce9387ad
Despite this, I find references on the web saying that its use is still recommended (to avoid Session Hijacking, for example). Rails' own safety guide (http://guides.rubyonrails.org/security.html) seems to suggest this, although it does not nominally quote the Gem.
After all, it is really advantageous to use the database to store session variables such as the id user logged in, etc? The cost of performance comes to be noticeable?
Related to Session Hijacking: http://answall.com/q/36687/4751
– gmsantos