Is it safe to switch Apartment tenant using session variable to pass the tenant id?
I know that Rails uses a digest to secure session data, however I wanted to ask whether a better solution could be adopted.
I am currently loading the tenant in apartment.rb using a tenant_id session variable created after login in session controller (Devise).
Do you guys think this is safe enough? Wouldn't want someone to change the id and access other tenants data.
@luca you are definitely fine in accessing tenant_id in the session. It is super common practice infact to store the current_user that way as well. As long as you are serving over https you are fine and sessions are notoriously hard to break into.
That said, you probably have the name/subdomain of the tenant in the subdomain and therefore never really need to store that info in the session since it is unique enough to identify the apartment directly it is effectively the tenant_id right?
If I am missing something feel free to hit me back on here. Have a good one!
Thanks Casey, just wanted to get a second opinion on this one..
I am switching based on user id, not subdmain that's why :)