How to Use Session for Authentication in Rails
In Rails, you use the
session hash to store a user's ID after login, which keeps them authenticated across requests. You set session[:user_id] when the user logs in and check it to verify authentication on protected pages.Syntax
The session is a Rails-provided hash-like object that stores data between HTTP requests. You typically set session[:user_id] to the logged-in user's ID to remember their login state.
To log in a user: session[:user_id] = user.id
To check if a user is logged in: if session[:user_id]
To log out: session.delete(:user_id) or reset_session
ruby
session[:user_id] = user.id # Log in user
if session[:user_id] # Check login
# user is logged in
end
session.delete(:user_id) # Log out user
reset_session # Clear all session dataExample
This example shows a simple Rails controller handling login, logout, and a protected page using session for authentication.
ruby
class SessionsController < ApplicationController def new # login form end def create user = User.find_by(email: params[:email]) if user&.authenticate(params[:password]) session[:user_id] = user.id redirect_to dashboard_path, notice: "Logged in successfully" else flash.now[:alert] = "Invalid email or password" render :new end end def destroy session.delete(:user_id) redirect_to login_path, notice: "Logged out" end end class DashboardController < ApplicationController before_action :require_login def index # protected content end private def require_login redirect_to login_path, alert: "Please log in" unless session[:user_id] end end
Output
When a user logs in with correct credentials, their user ID is saved in session[:user_id]. Accessing the dashboard redirects to login if not authenticated. Logging out clears the session.
Common Pitfalls
- Forgetting to check
session[:user_id]on protected pages allows unauthorized access. - Not clearing the session on logout keeps the user logged in.
- Storing sensitive data directly in session instead of just user ID is insecure.
- Not using
has_secure_passwordor proper password hashing can expose passwords.
ruby
class DashboardController < ApplicationController # Wrong: no login check def index # anyone can access end end # Correct way: class DashboardController < ApplicationController before_action :require_login def index # protected end private def require_login redirect_to login_path, alert: "Please log in" unless session[:user_id] end end
Quick Reference
Remember these key session methods for auth in Rails:
| Method | Purpose |
|---|---|
| session[:user_id] = user.id | Store logged-in user ID |
| session[:user_id] | Check if user is logged in |
| session.delete(:user_id) | Log out user by removing ID |
| reset_session | Clear all session data |
| before_action :require_login | Protect controller actions |
Key Takeaways
Use session[:user_id] to track logged-in users in Rails.
Always check session[:user_id] before showing protected pages.
Clear session data on logout to end user sessions securely.
Store only user IDs in session, not sensitive info.
Use before_action filters to enforce authentication.