0
0
Ruby on Railsframework~10 mins

Session-based authentication in Ruby on Rails - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf
Concept Flow - Session-based authentication
User submits login form
Server checks credentials
Create session
Store session ID in cookie
User requests protected page
Server reads session ID from cookie
Allow access
This flow shows how a user logs in, the server creates a session stored in a cookie, and later requests check that session to allow or deny access.
Execution Sample
Ruby on Rails
def create
  user = User.find_by(email: params[:email])
  if user&.authenticate(params[:password])
    session[:user_id] = user.id
    redirect_to '/dashboard'
  else
    redirect_to '/login'
  end
end
This code logs in a user by checking credentials and storing the user ID in the session if valid.
Execution Table
StepActionInputSession StateOutput/Redirect
1User submits login formemail=user@example.com, password=secret{}Check credentials
2Server finds user by emailuser@example.com{}User found
3Server authenticates passwordsecret{}Password valid
4Server sets session user_iduser.id=42{user_id: 42}Redirect to /dashboard
5User requests /dashboardcookie with session user_id=42{user_id: 42}Allow access
6User requests /profile without sessionno session cookie{}Redirect to /login
💡 Execution stops when user is redirected or access is granted/denied based on session presence.
Variable Tracker
VariableStartAfter Step 4After Step 5After Step 6
session{}{user_id: 42}{user_id: 42}{}
usernilUser(id=42)User(id=42)nil
params{}{email: 'user@example.com', password: 'secret'}{}{}
Key Moments - 3 Insights
Why does the server store user_id in session instead of user object?
The server stores only user_id in session (see Step 4) because sessions hold small data like IDs, not full objects, to keep session size small and secure.
What happens if the session cookie is missing on a protected page request?
As shown in Step 6, if the session cookie is missing, the server redirects the user to the login page because it cannot verify the user identity.
Why do we check credentials before setting the session?
Step 3 ensures the password is correct before setting session[:user_id] in Step 4, preventing unauthorized access.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution table, what is the session state after Step 4?
A{"email": "user@example.com"}
B{"user_id": 42}
C{}
D{"password": "secret"}
💡 Hint
Check the 'Session State' column at Step 4 in the execution table.
At which step does the server redirect the user to the login page due to missing session?
AStep 2
BStep 4
CStep 6
DStep 5
💡 Hint
Look at the 'Output/Redirect' column for the step where session is empty and redirect happens.
If the password was incorrect, what would happen at Step 3?
ARedirect to /login
BSession user_id is set
CRedirect to /dashboard
DUser is found
💡 Hint
Refer to the 'Action' and 'Output/Redirect' columns around Step 3 in the execution table.
Concept Snapshot
Session-based authentication in Rails:
- User submits login form with email and password.
- Server verifies credentials.
- If valid, server stores user_id in session hash.
- Session ID is saved in browser cookie.
- On protected pages, server checks session user_id.
- If session missing or invalid, redirect to login.
Full Transcript
Session-based authentication in Rails works by having the user submit a login form with their email and password. The server then looks up the user by email and checks if the password matches. If the credentials are correct, the server stores the user's ID in the session hash. This session is linked to the user via a cookie stored in the browser. When the user requests protected pages, the server reads the session cookie to find the user ID and allows access if valid. If the session is missing or invalid, the server redirects the user back to the login page. This process keeps the user logged in securely across requests.