Ask A Question

Notifications

You’re not receiving notifications from this thread.

Is it safe to switch Apartment tenant using session variable to pass the tenant id?

Luca Rossi asked in Rails

Hello,

I know that Rails uses a digest to secure session data, however I wanted to ask whether a better solution could be adopted.

I am currently loading the tenant in apartment.rb using a tenant_id session variable created after login in session controller (Devise).

Do you guys think this is safe enough? Wouldn't want someone to change the id and access other tenants data.

Cheers

Reply

@luca you are definitely fine in accessing tenant_id in the session. It is super common practice infact to store the current_user that way as well. As long as you are serving over https you are fine and sessions are notoriously hard to break into.

That said, you probably have the name/subdomain of the tenant in the subdomain and therefore never really need to store that info in the session since it is unique enough to identify the apartment directly it is effectively the tenant_id right?

If I am missing something feel free to hit me back on here. Have a good one!

Reply

Thanks Casey, just wanted to get a second opinion on this one..

I am switching based on user id, not subdmain that's why :)

Reply
Join the discussion
Create an account Log in

Want to stay up-to-date with Ruby on Rails?

Join 87,563+ developers who get early access to new tutorials, screencasts, articles, and more.

    We care about the protection of your data. Read our Privacy Policy.