David J Rice

There aren’t that many resources about the relatively new option for session storage in Rails. So while I have been migrating a legacy application to Rails 2, I wanted to note some of my thoughts.

Cookie Storage

Pros

• Storage is now distributed to the client within the session cookie.
• Up to 4k of data can be stored within it securely thanks to the neat work done by the core team.
• It’s a simple solution to provide scalability by default, no more centralized drb, memcached, db, filesystem to store your sessions.
• Slight performance boost with the session not having to be retrieved, it is sent with the request.

Cons

• Session data is transmitted to the client, albeit encrypted and tamper proof.
• An extra overhead of roughly 162 Bytes per request in the http headers when sessions are turned on, due to the longer session_id.
• You can only store 4k.

Active Record Storage

Pros

• You can store as much session data as you want.
• If the session data is super secret, it’s never transmitted over the wire.
• Roughly 162 Bytes less per request in the http headers when session are turned on.

Cons

• Another moving part to manage (i.e. clearing the Active Record sessions table).
• Slight performance hit retrieving the session.

So, in conclusion the Cookie Storage is a great default for Rails as it will suit the vast majority of applications. I’ve found it great for recent projects, it mainly means you don’t really have to think about sessions anymore.

More Resources

• Ryan Daigle’s article about cookie session.
• Scott Baron’s excellent performance comparision.
• A great run-down on all of the other session storage options in a lot more detail over on Err the Blog.