Skip to main content

Is it safe to switch Apartment tenant using session variable to pass the tenant id?

Rails • Asked by Luca Rossi

Hello,

I know that Rails uses a digest to secure session data, however I wanted to ask whether a better solution could be adopted.

I am currently loading the tenant in apartment.rb using a tenant_id session variable created after login in session controller (Devise).

Do you guys think this is safe enough? Wouldn't want someone to change the id and access other tenants data.

Cheers


@luca you are definitely fine in accessing tenant_id in the session. It is super common practice infact to store the current_user that way as well. As long as you are serving over https you are fine and sessions are notoriously hard to break into.

That said, you probably have the name/subdomain of the tenant in the subdomain and therefore never really need to store that info in the session since it is unique enough to identify the apartment directly it is effectively the tenant_id right?

If I am missing something feel free to hit me back on here. Have a good one!


Thanks Casey, just wanted to get a second opinion on this one..

I am switching based on user id, not subdmain that's why :)


Login or Create An Account to join the conversation.

Subscribe to the newsletter

Join 27,623+ developers who get early access to new screencasts, articles, guides, updates, and more.

    By clicking this button, you agree to the GoRails Terms of Service and Privacy Policy.

    More of a social being? We're also on Twitter and YouTube.