How to add a new column to Rails' sessions

Luke Ludwig — Mon, 26 Nov 2007 17:59:00 -0600

For a rails app at work we store user access privileges in the session. This is done as an optimization to avoid an extra sql query that would need to be done for every page view to determine if the user has edit privileges. Security-minded people may see this as a security hole. For this application I don't see this as a big deal. Its not like our rails app is controlling the launch of nuclear missiles.

The problem is that when an admin goes to modify the user access privileges for someone, the changes won't take affect until the user next logs in since the user access privileges are stored in the session. So if the user is already logged in this is a problem. They will have to log out and log back in for the changes to take affect. The solution to this problem is to modify the session of the user who's access privileges were modified.

To do this we need to add a user_id column to the sessions table. This can be done like any other migration. The tricky part is accessing the user_id column. We will want to set the user_id of the session when someone logs in. This of course will not work:

session.user_id = @user.id

The session we are so familiar with is not like other ActiveRecord objects. If you are using ActiveRecordStore for your session storage (the rails built-in database session storage mechanism), this is easy. For ActiveRecordStore, the session has a model attribute allowing you to access the ActiveRecord session object. First you need to make a session model class which extends ActiveRecord. Mine looked lke this:

class Session < ActiveRecord::Base

end

Then inside your "login" action you can do:

session.model.user_id = @user.id

Then just rely on the automatic session saving built into rails to save the user_id to the database.

If you are using SqlSessionStore, you don't have access to the model attribute. Instead you can do this to set the user_id:

my_session = Session.find_by_session_id(session.session_id)
my_session.update_attribute(:user_id, current_user.id)

Now presumably at some point in your application you will need to access and make use of the user_id column. For me this is when the user access privileges are modified. Since we created a session.rb model class, we can use the built in rails find method to find all sessions for the user.

sessions = Session.find(:all, :conditions => "user_id = #{user.id}", :select => "session_id")

To take advantage of the built-in session data marshaling in rails, we need to access the session like this:

user_session = CGI::Session::ActiveRecordStore::Session.find_by_session_id(sess.session_id)

Then we can set a session value using the data attribute and save the session off. Here is the full code for updating the sessions:

        sessions.each do |sess|
        user_session = CGI::Session::ActiveRecordStore::Session.find_by_session_id(sess.session_id)
        user_session.data[:access_privileges] = new_access_privileges
        user_session.save
        end

Mad Marmot: Tag ActiveRecordStore

How to add a new column to Rails' sessions