ruby on rails - Is hitting the database required for current_user? -


i've been following tutorial sets simple user authentication. following code used determine if user logged in:

  def current_user     @current_user ||= user.find(session[:user_id]) if session[:user_id]   end

if wanted ensure user logged in (and don't require user model), use like:

def is_user_logged_in    true if session[:user_id] end

this way wouldn't have hit database if wanted check if user logged in. correct? , if so, there security concerns?

the current_user helper popularized devise (if didn't know).

in fact, user_signed_in? method popularized devise:

def user_signed_in?     !!current_user end

i looked @ devise time back; built on top of warden middleware. there's tutorial here:

the devise gem built on top of warden. warden rack application, means runs separate , standalone module, , (nearly always) executed before chief rails application invoked.

warden provides cookie handling verifies identity of logged in user via (secure) session string, in id (primary key) of particular user somehow stored , disguised. warden provides hook app can deal users aren’t logged in. these users either have restricted access, or none @ all, except, of course, sign-in/sign-up pages.

warden handles user authentication well. if need ideas, can @ how it.

[warden]

--

from technical perspective, there's absolutely nothing wrong you're doing.

however, pointed out, problems may encounter systemic; validating authentication need consistent, not once user sets :user_id session.

thus, following:

  1. user_id should not kept in session variable. @ least, should encoded sort of salt. (the less people know user data structure better)
  2. i validate authentication somehow. once authenticated, i'd create authenticated token in session, compare stored token (kind of oauth).

in respect second suggestion, there interesting thing do. there semi-persistent storage solutions (the popular rails being redis) save db authentication whilst providing ram-type data access...

enter image description here

redis database stored in memory; use store key: value pairs (json). more importantly, allows create super lightweight authentication system, saving expensive sql.

def user_signed_in?     return redis.get(current_user.id) ? true : false end

although crude example, should give idea how caching , external sources give ability streamline queries somewhat.

you'd able see if user has right token in redis, providing array of "logged in" users. no db calls.


Comments

Post a Comment

Popular posts from this blog

java - WARN : org.springframework.web.servlet.PageNotFound - No mapping found for HTTP request with URI [/board/] in DispatcherServlet with name 'appServlet' -

this question has answer here: why spring mvc respond 404 , report “no mapping found http request uri […] in dispatcherservlet”? 3 answers i trying making simple bbs i'm encountering following error, warn : org.springframework.web.servlet.pagenotfound - no mapping found http request uri [/board/] in dispatcherservlet name 'appservlet' i have tried solve error many times, have failed. how can solve error? here web.xml, controllerand , servlet-context. my web.xml <?xml version="1.0" encoding="utf-8"?> <web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/xmlschema-instance" xsi:schemalocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"> <filter> <filter-nam...
Read more

1111. appearing after print sequence - php -

morning, i have code takes string of shoe sizes, explodes , puts in table. code works , info displayed correctly on page after table there few 1's after table. i'm confused this. so table looks (in columns of 3 on webpage) available in following sizes: 3 4 5 6 9 10 111 here's codes, purpose of example $x = 3|4|6|10|9 function get_sizes_pipe($x) { $counter = 0; $splits = explode("|",$x); asort($splits); $x = print "<table class='greentable'>"; $x .= print "<thead><tr><th scope='col' colspan='3' abbr='starter'>available in following sizes:</th></tr></thead><tbody><tr>"; foreach ($splits $split) { $entry = print "<td>".$split."</td>"; if($counter == 2){ $entry .= print "</tr><tr>"; $counter =0; } else { $counter++; ...
Read more

android - How to create dynamically Fragment pager adapter -

i unable create dynamic layout each tabs, able create tabs dynamically constructor(public mypageradapter(fragmentmanager fm , int nooftabs)), coudn't inflate view each tabs creating each fragment should dyanmic. public class mypageradapter extends fragmentpageradapter { private final string[] titles = { "categories", "home", "top paid", "top free", "top grossing", "top new paid", "top new free", "trending" }; int nooftabs; **public mypageradapter(fragmentmanager fm , int nooftabs) { super(fm); this.nooftabs = nooftabs; }** /*public mypageradapter(fragmentmanager fm) { super(fm); }*/ @override public charsequence getpagetitle(int position) { return titles[position]; } @override public int getcount() { ...
Read more