small medium large xlarge

29 Jul 2008, 21:02
Kyle Murphy (3 posts)

For authorize in application.rb, would it be safe to use “unless session[:user_id]” rather than “unless User.find_by_id(session[:user_id])” to check whether the user is logged in, or can the former be exploited somehow? Thank you.

30 Jul 2008, 12:55
Dave Thomas (366 posts)

Say the user was being a pest, and you wanted to stop them logging on. You could delete their row from the database. With the book’s code, that would mean that the authorize method would then fail for them. Only checking the session id would allow them to log in, but would then confuse the rest of the application as there’d be no user data there.

You must be logged in to comment