Search code examples
ruby-on-railsdevisewarden

What is the warden data in a Rails/Devise session composed of?


The "data" in a Rails session looks like this:

{"warden.user.user.key" => [[1], "long-random-string"]}

1 is the user id. What is the long random string?

Is this something handled/used by Rails, or Devise?


Solution

  • When you login a user(Devise model name User), a key "warden.user.model_name.key" is created which in your case is "warden.user.user.key".

    For example:

    { warden.user.user.key => [[1], "$2a$10$KItas1NKsvunK0O5w9ioWu"] }
    

    where

    1 is the id of the logged in user.

    $2a$10$KItas1NKsvunK0O5w9ioWu aka long-random-string is the partial encrypted password of user with id 1.

    You can verify this by going on rails console and executing

    User.find(1).encrypted_password  
    ## => "$2a$10$KItas1NKsvunK0O5w9ioWuWp4wbZ4iympYMqVCRmmvTGapktKqdMe"
    

    UPDATE

    could you tell me a bit more about this partial encrypted password? why is it partial and not full?

    To answer your above question in the comment, Devise stores the partial encrypted_password in the session by invoking authenticatable_salt method. Devise stores the partial encrypted_password as it is more reliable rather than exposing the full encrypted_password in the session(even though its encrypted). That's why the first 30 characters[0,29] of the encrypted_password are extracted and stored in the session.

      # A reliable way to expose the salt regardless of the implementation.
      def authenticatable_salt
        encrypted_password[0,29] if encrypted_password
      end
    

    You can see the code for authenticatable_salt here.

    where/when is it used? is it used by Devise, or by Rails, or both?

    It is used by Devise for authentication purpose to verify whether or not a particular user is logged in. Ideal use-case would be, how a particular Rails application keeps track of how a user is logged in when a new page is requested. As HTTP requests are stateless, it would be impossible to tell that a given request actually came from that particular user who is logged in? This is why sessions are important as they would allow the application to keep a track of the logged in user from one request to another until the session expires.