What are the advantages and disadvantages of storing session variables in the database?

Asked

Viewed 1,213 times

8

From Rails 4.0, was eliminated the Activerecord Session Store, that kept session variables in the database, for "performance issues." But the functionality continues to work through a Gem. Today Rails uses the Cookie Session Store.

Activerecord Session store - The Activerecord Session store is extracted to a Separate Gem. Storing Sessions in SQL is costly. Instead, use cookie Sessions, memcache Sessions, or a custom Session store.

Source: http://edgeguides.rubyonrails.org/4_0_release_notes.html

Translated:

Activerecord Session store - The Activerecord Session store has been transferred to a separate Gem. Storing sessions in the database is costly [in terms of performance]. Instead, use cookie-based sessions, memcache Sessions, or a Session store customized.

Despite this, I find references on the web saying that its use is still recommended (to avoid Session Hijacking, for example). Rails' own safety guide (http://guides.rubyonrails.org/security.html) seems to suggest this, although it does not nominally quote the Gem.

After all, it is really advantageous to use the database to store session variables such as the id user logged in, etc? The cost of performance comes to be noticeable?

sql database ruby-on-rails security-guard cookies

  • Related to Session Hijacking: http://answall.com/q/36687/4751

2 answers

2

I’m not a web expert, but I believe I can contribute to the issue.

Sessions in the database

Perks

  • Easy to scale Considering that it is not an application that uses database replication, it is simpler to store the data in a resource that is shared between servers.
  • Ease of implementation Controlling a session via database generates a simpler implementation, based on queries and sql commands, something most developers know well

Disadvantages

  • Slowness Being a shared resource, if the amount of readings and recordings is too large, the "advantage" of being a shared resource can cause slowness in all servers by overcharging the database
  • Layering Technically, the database is a persistence layer, not a medium or temporary storage resource. Therefore, places that would not need to serialize their access, requesting data from the database, begin to require even where there is no need

Alternatives

Reddis: is an in-memory data server, distributed with optional persistence at optimal speed, open source and maintained by Pivotal Software Source: Wikipedia

Memcached: Free, open-source, high-performance memory distributed object caching system. Source: http://memcached.org/

Do not use the session, but keep the data in the client app and use basic, digest or token Authentication authentication

  • you do not contradict yourself in easy scalability and slowness when there are many recordings and readings?

0

The main use for bd session is when you want to share the session between more than one app.

You can also use it to store more data than cookies allow (4k)

As for performance, it is noticeable if it is measured in tools like newrelic, for the end user it depends a lot on what the application does.

If for any reason you need to store sessions other than in cookies, use memcached.

Here’s an example of how to do it: https://github.com/mperham/dalli#Usage-with-Rails-3x-and-4x

Browser other questions tagged sql database ruby-on-rails security-guard cookies

You are not signed in. Login or sign up in order to post.