All threads / Is it safe to switch Apartment tenant using session variable to pass the tenant id?

Ask A Question

Notifications

You’re not receiving notifications from this thread.

Is it safe to switch Apartment tenant using session variable to pass the tenant id?

Luca Rossi asked in Rails

Hello,

I know that Rails uses a digest to secure session data, however I wanted to ask whether a better solution could be adopted.

I am currently loading the tenant in apartment.rb using a tenant_id session variable created after login in session controller (Devise).

Do you guys think this is safe enough? Wouldn't want someone to change the id and access other tenants data.

Cheers

@luca you are definitely fine in accessing tenant_id in the session. It is super common practice infact to store the current_user that way as well. As long as you are serving over https you are fine and sessions are notoriously hard to break into.

That said, you probably have the name/subdomain of the tenant in the subdomain and therefore never really need to store that info in the session since it is unique enough to identify the apartment directly it is effectively the tenant_id right?

If I am missing something feel free to hit me back on here. Have a good one!

Thanks Casey, just wanted to get a second opinion on this one..

I am switching based on user id, not subdmain that's why :)

Join the discussion

Want to stay up-to-date with Ruby on Rails?

Join 34,885+ developers who get early access to new tutorials, screencasts, articles, and more.

    We care about the protection of your data. Read our Privacy Policy.

    logo Created with Sketch.

    Ruby on Rails tutorials, guides, and screencasts for web developers learning Ruby, Rails, Javascript, Turbolinks, Stimulus.js, Vue.js, and more. Icons by Icons8

    © 2020 GoRails, LLC. All rights reserved.