What is Session-based authentication in Ruby on Rails?

Ruby on Railsframework~5 mins

Session-based authentication in Ruby on Rails

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Perf

Introduction

Session-based authentication helps websites remember who you are after you log in. It keeps you signed in while you browse.

When you want users to log in and stay logged in while using your website.

When you need to protect parts of your site so only signed-in users can see them.

When you want to track user activity during a visit without asking them to log in every time.

When building a simple web app that needs user accounts without complex token systems.

Syntax

Ruby on Rails

class SessionsController < ApplicationController
  def create
    user = User.find_by(email: params[:email])
    if user&.authenticate(params[:password])
      session[:user_id] = user.id
      redirect_to root_path, notice: 'Logged in successfully'
    else
      flash.now[:alert] = 'Invalid email or password'
      render :new
    end
  end

  def destroy
    session.delete(:user_id)
    redirect_to root_path, notice: 'Logged out successfully'
  end
end

Use session[:key] to store or access session data.

Sessions are stored on the server, and the browser keeps a cookie to identify the session.

Examples

Stores the logged-in user's ID in the session to remember them.

Ruby on Rails

session[:user_id] = user.id

Removes the user ID from the session to log the user out.

Ruby on Rails

session.delete(:user_id)

Fetches the current logged-in user using the ID stored in the session.

Ruby on Rails

current_user = User.find_by(id: session[:user_id])

Sample Program

This example shows a simple session-based login system. The SessionsController handles logging in and out. The ApplicationController has a helper method to get the current user and a method to protect pages that need login.

Ruby on Rails

class SessionsController < ApplicationController
  def new
    # Shows login form
  end

  def create
    user = User.find_by(email: params[:email])
    if user&.authenticate(params[:password])
      session[:user_id] = user.id
      redirect_to root_path, notice: 'Logged in successfully'
    else
      flash.now[:alert] = 'Invalid email or password'
      render :new
    end
  end

  def destroy
    session.delete(:user_id)
    redirect_to root_path, notice: 'Logged out successfully'
  end
end

class ApplicationController < ActionController::Base
  helper_method :current_user

  def current_user
    @current_user ||= User.find_by(id: session[:user_id])
  end

  def authenticate_user!
    redirect_to login_path, alert: 'Please log in' unless current_user
  end
end

OutputSuccess

Important Notes

Sessions rely on cookies, so users must have cookies enabled in their browser.

Always use secure cookies (HTTPS) in production to protect session data.

Do not store sensitive data directly in the session; store only user IDs or tokens.

Summary

Session-based authentication remembers users by storing their ID in a server-side session.

Use session[:user_id] to track logged-in users.

Clear the session to log users out safely.