ruby on rails - Is hitting the database required for current_user? -


i've been following tutorial sets simple user authentication. following code used determine if user logged in:

  def current_user     @current_user ||= user.find(session[:user_id]) if session[:user_id]   end

if wanted ensure user logged in (and don't require user model), use like:

def is_user_logged_in    true if session[:user_id] end

this way wouldn't have hit database if wanted check if user logged in. correct? , if so, there security concerns?

the current_user helper popularized devise (if didn't know).

in fact, user_signed_in? method popularized devise:

def user_signed_in?     !!current_user end

i looked @ devise time back; built on top of warden middleware. there's tutorial here:

the devise gem built on top of warden. warden rack application, means runs separate , standalone module, , (nearly always) executed before chief rails application invoked.

warden provides cookie handling verifies identity of logged in user via (secure) session string, in id (primary key) of particular user somehow stored , disguised. warden provides hook app can deal users aren’t logged in. these users either have restricted access, or none @ all, except, of course, sign-in/sign-up pages.

warden handles user authentication well. if need ideas, can @ how it.

[warden]

--

from technical perspective, there's absolutely nothing wrong you're doing.

however, pointed out, problems may encounter systemic; validating authentication need consistent, not once user sets :user_id session.

thus, following:

  1. user_id should not kept in session variable. @ least, should encoded sort of salt. (the less people know user data structure better)
  2. i validate authentication somehow. once authenticated, i'd create authenticated token in session, compare stored token (kind of oauth).

in respect second suggestion, there interesting thing do. there semi-persistent storage solutions (the popular rails being redis) save db authentication whilst providing ram-type data access...

enter image description here

redis database stored in memory; use store key: value pairs (json). more importantly, allows create super lightweight authentication system, saving expensive sql.

def user_signed_in?     return redis.get(current_user.id) ? true : false end

although crude example, should give idea how caching , external sources give ability streamline queries somewhat.

you'd able see if user has right token in redis, providing array of "logged in" users. no db calls.


Comments

Post a Comment

Popular posts from this blog

html - Outlook 2010 Anchor (url/address/link) -

i'm trying link specific pdf page msoutlook'10 or msword'10, #page=... anchor particularly useful , works fine elsewhere. unfortunately when click [ctr-k] in outlook or winword, links re-formatted assuming unc path. pdf file located on shared drive. using "file:" prefix links open pdf in adobe reader (outside of browser), , "http:" open inside browser. issue seem need open in browser "file:" prefix in order anchor work. know anchors work inside browser. outlook uses windows/explorer default program (based on file extension) seems open in adobe reader neglecting anchor. is aware of solution, link specific page or bookmark of shared-pdf ms outlook and/or winword link? common references: mailermailer.com/...anchor-tags-html-emails campaignmonitor.com/...anchor-links-in-email-newsletters/ stackoverflow.com/...anchor-in-pdf-document
Read more

javascript - Why does running this loop 9 times take 100x longer than running it 8 times? -

consider code: test = function() { } t = new test(); (var = 0; < 8; i++) { result = t instanceof test; } if change number of iterations 8 9 , loop take 100 times longer complete in latest version of firefox (41.0.1). tested on 2 different pcs , magic limit 8. here jsperf test used: http://jsperf.com/instanceof-8-times-vs-9-times does have idea why might happen? seems specific instanceof . not happen if else object, example check property. note: filed bugzilla bug this. jan de mooij mozilla team has posted details in bugzilla thread . here's simplistic interpretation of highly technical answers: in i < 8 case, firefox smart enough hoist result = t instanceof test; statement out of loop (according tests, doesn't seem omit altogether). in i < 9 case, apparently doesn't optimization . why? reason not clear, related fact 9 iterations threshold above function considered "hot" enough run through jit compiler. i < 8 cas...
Read more

Getting gateway time-out Rails app with Nginx + Puma running on Digital Ocean -

following this guide setup app on digital ocean droplet, not working. site not loading , it's throwing: "gateway time-out". the puma server works, since ps aux | grep puma prints: root 15878 0.0 0.4 376832 2168 ? sl 12:50 0:00 puma 2.13.4 (unix:///var/www/myapp/shared/tmp/sockets/myapp-puma.sock) [20150930164940] root 15881 0.0 0.7 903676 3692 ? sl 12:50 0:06 puma: cluster worker 0: 15878 [20150930164940] root 24654 0.0 0.1 11748 916 pts/2 s+ 18:00 0:00 grep --color=auto puma my nginx config: user root; worker_processes 1; events { worker_connections 1024; } http { upstream puma { server unix:///var/www/myapp/shared/tmp/sockets/myapp-puma.sock; } server { listen 80; server_name myapp.com; root /var/www/myapp/current/public; access_log /var/www/myapp/current/log/access.log; error_log /...
Read more