Stored Session

Encrypted, database-backed session store for Rails. It is a modernization of the activerecord-session_store gem that was previously extracted from Rails. Stored Session is encrypted by default and is tested with MySQL, PostgreSQL, and SQLite against Rails 8+.

• Compact serialization with MessagePack and encrypted storage with Active Record encryption (inspired by Solid Cache)
• Built-in job for expiring inactive sessions
• Tested with MySQL, PostgreSQL, and SQLite
• Instrumentation with ActiveSupport::Notifications

Probably not.

The original active_record_store was extracted from Rails 4 in 2012 and moved to its own gem.

Rails 4 also began encrypting and signing cookies by default, including the session cookie. Prior to Rails 4, active_record_store was recommended when sensitive data needed to be stored in the session. Today, the secure defaults in Rails remove the need to store the session server-side for that reason.

Additionally, database-backed sessions put an increasing amount of strain on the database as traffic grows due to the sessions table being constantly operated against.

I built Stored Session primarily as an exercise in creating an "omakase" Rails engine to learn the framework's common patterns for things like engine configuration, instrumentation, and testing against multiple databases. Before using this gem in production, please make sure you really have a need for database-backed session storage!

You might consider using database-backed sessions if you:

• Have regulatory requirements mandating server-side session storage
• Need to store session data larger than the 4KB cookie limit
• Require detailed analytics or audit trails for every session

If none of these apply to your application, you're likely better off using Rails' default cookie-based session store.

• Ruby >= 3.2.0
• Rails >= 8.0.0

Add Stored Session to your application by following these steps:

1. bundle add stored_session
2. bin/rails stored_session:install:migrations
3. bin/rails db:migrate

ActiveRecord encryption must be enabled in order to use Stored Session. Follow the instructions in the guide to configure.

Then, set your session store in config/initializers/session_store.rb:

Rails.application.config.session_store :stored_session_store, key: '_my_app_session`

When Solid Queue is used as your ActiveJob queue adapter, add StoredSession::ExpireSessionsJob to config/recurring.yml:

production:
  expire_sessions:
    class: "StoredSession::ExpireSessionsJob"
    schedule: every day

Stored Session instruments session store operations with ActiveSupport::Notifications:

{
  sid: '2::350cabf53a661de4fcf3d0ba6c6c65fd560b41e9697cf000168a9f420fb5366a'
}

{
  sid: '2::350cabf53a661de4fcf3d0ba6c6c65fd560b41e9697cf000168a9f420fb5366a'
}

{
  sid: '2::350cabf53a661de4fcf3d0ba6c6c65fd560b41e9697cf000168a9f420fb5366a'
}

This gem builds upon the excellent work of many contributors in the Ruby on Rails ecosystem. Special thanks to:

• The Rails core team and contributors, whose test suites and session store implementations in Rails itself core provided a robust foundation.
• The maintainers and contributors of the original activerecord-session_store gem, whose longstanding work influenced this implementation.
• The Solid Cache and Solid Queue maintainers and contributors, particularly for their modern database interaction patterns.

Portions of the gem boilerplate, implementation, and test suite and gem infrastructure were adapted from these projects, each of which are also distributed under the MIT License.

The gem is available as open source under the terms of the MIT License.