Logo TIB AV-Portal Logo TIB AV-Portal

A Deep Dive Into Sessions

Video in TIB AV-Portal: A Deep Dive Into Sessions

Formal Metadata

A Deep Dive Into Sessions
Title of Series
Part Number
Number of Parts
CC Attribution - ShareAlike 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal and non-commercial purpose as long as the work is attributed to the author in the manner specified by the author or licensor and the work or content is shared also in adapted form only under the conditions of this license.
Release Date

Content Metadata

Subject Area
What if your Rails app couldn’t tell who was visiting it? If you had no idea that the same person requested two different pages? If all the data you stored vanished as soon as you returned a response? The session is the perfect place to put this kind of data. But sessions can be a little magical. What is a session? How does Rails know to show the right data to the right person? And how do you decide where you keep your session data?
Computer animation Software developer Online help Code Product (business)
Web 2.0 Wavelet Computer animation Different (Kate Ryan album) Software developer Multiplication sign Electronic program guide Website Mereology
Mobile Web Information Multiplication sign Real number ACID Sheaf (mathematics) Database Computer programming Web 2.0 Programmer (hardware) Arithmetic mean Process (computing) Computer animation Hypermedia Single-precision floating-point format Website Distortion (mathematics) Exception handling
Group action Pointer (computer programming) Computer animation Code Multiplication sign Database transaction Exception handling
Web page Computer animation Code Multiplication sign Model theory Ideal (ethics) Website Bit Login
Web 2.0 Trail Server (computing) Email Uniform resource locator Computer animation Information Computer configuration Internetworking Software developer Solid geometry Web browser
Slide rule Email Server (computing) Computer animation State of matter Order (biology) Numbering scheme HTTP cookie Web browser Computer programming
Web page Server (computing) Email Information Multiplication sign Web browser Coma Berenices Mereology Metadata Connected space Googol Computer animation Personal digital assistant Semiconductor memory Website HTTP cookie Object (grammar) Cycle (graph theory) Data conversion
Web page Trail Domain name Server (computing) Game controller Group action Mobile app Code Mehrplatzsystem Sheaf (mathematics) Virtual machine Set (mathematics) Web browser Coma Berenices Rule of inference Wiki Revision control Sign (mathematics) Computer configuration Cuboid Energy level Mobile Web Information Key (cryptography) Validity (statistics) Hazard (2005 film) Sampling (statistics) Data storage device Bit Directory service Googol Process (computing) Computer animation Hash function Reflektor <Informatik> Pattern language HTTP cookie
Point (geometry) Greatest element Digital electronics Serial port Real number Genetic programming 1 (number) Parameter (computer programming) Formal language Sign (mathematics) String (computer science) Encryption Software testing Booting Default (computer science) Multiplication Key (cryptography) Data storage device Interactive television Cartesian coordinate system Radius Computer animation Personal digital assistant Right angle HTTP cookie Object (grammar) Figurate number
Web page Server (computing) Multiplication Email Mobile app Real number Multiplication sign Data storage device Sheaf (mathematics) Web browser Parameter (computer programming) Food energy Sign (mathematics) Computer animation Hash function Personal digital assistant Encryption HTTP cookie Quicksort Metropolitan area network
Server (computing) Group action Overhead (computing) Computer animation Single-precision floating-point format Data storage device HTTP cookie Web browser Buffer overflow Probability density function Exception handling
Mobile app Randomization Group action Link (knot theory) Patch (Unix) Multiplication sign HD DVD Sheaf (mathematics) Web browser Parameter (computer programming) Regular graph Subset Power (physics) Sign (mathematics) Mathematics Strategy game Meeting/Interview Computer configuration Semiconductor memory Atomic number Different (Kate Ryan album) String (computer science) Encryption Area Email Matching (graph theory) Information Data storage device Electronic mailing list Database Flow separation System call Cache (computing) Film editing Process (computing) Computer animation Personal digital assistant Order (biology) Website Right angle HTTP cookie Cycle (graph theory) Reference data Row (database)
Axiom of choice Game controller Sweep line algorithm Multiplication sign Sheaf (mathematics) Cyberspace Web browser Fraktalgeometrie Mathematics Semiconductor memory Computer configuration Cuboid Partial derivative Data storage device Sound effect Database Limit (category theory) Cache (computing) Computer animation Charge carrier Website Right angle HTTP cookie Quicksort Row (database)
Proof theory Server (computing) Computer animation Doubling the cube Real number Order (biology) Computer network Right angle HTTP cookie Open set
Domain name Direction (geometry) Forcing (mathematics) Cellular automaton Public key certificate Connected space Particle system Computer animation Different (Kate Ryan album) Internetworking Website HTTP cookie Freeware
Web page Information Cyberspace Mereology Rule of inference Process (computing) Computer animation Angle Profil (magazine) HTTP cookie Figurate number Reading (process) Vulnerability (computing)
Server (computing) Game controller State of matter Real number Multiplication sign Sheaf (mathematics) Control flow Drop (liquid) Web browser Rule of inference Computer programming Number Neuroinformatik Goodness of fit Sign (mathematics) Bit rate Data conversion Information security Thumbnail Default (computer science) Cellular automaton Data storage device Infinity Hand fan Cache (computing) Computer animation Personal digital assistant HTTP cookie Musical ensemble Object (grammar)
Computer animation Atomic number Moment (mathematics) Sheaf (mathematics) Commutator Plastikkarte Mereology Product (business)
Randomization Code Multiplication sign Sheaf (mathematics) Tableau Database Mereology Product (business) Software bug Tablet computer Mathematics Computer animation Computer configuration Different (Kate Ryan album) Website Software testing Object (grammar) Exception handling
Area Functional (mathematics) Server (computing) Service (economics) Computer animation output Function (mathematics)
Area Dependent and independent variables Server (computing) Computer animation Web-Designer Internetworking Web browser Proxy server
Domain name Dependent and independent variables Email Server (computing) Key (cryptography) Electronic mailing list Set (mathematics) Web browser Connected space Product (business) Computer animation String (computer science) Computer network Website HTTP cookie Data structure Proxy server Condition number Asynchronous Transfer Mode
Computer animation Key (cryptography) Bit Instance (computer science)
Digital electronics Solvable group Multiplication sign Forcing (mathematics) Stress (mechanics) Frustration Mereology Demoscene Bookmark (World Wide Web) Element (mathematics) Computer animation Meeting/Interview Term (mathematics) Core dump HTTP cookie
Slide rule Computer animation Link (knot theory) Multiplication sign Computer programming Software bug
what and whom Hughes but the brilliant it started so here we hope is going well so far thank you for coming by I'm just voice
and I work it out over we help people find the legal help that they need and although I help offer developers get better coding production more quickly I also write articles and
guides to becoming a the real developer of my site just mice that I wrote a book practicing rails which can help you learn rails without getting overwhelmed everyone populating going
well so far thank you for coming by just lies and wavelet efficient part
what if that was your experience on the Web like imagine if your site could know the same person as it into different times or everything in your body is just disappeared as his return at 1st piece of HTML those might be fine for site doesn't
do much you know say that only cares about any of the most generic information but most of us we live in that world doing when you know by the users and the distortion data about them when that's like a user idea preferred language whether like mobile or the desktop your site better or what their favorite beta-catenin
means with this they could so the the functional programmer where
you know if you can store state that pass all the data you have along with every single request what's this but since rising rails problems for you to solve we put it in the 2nd half and it magically compact was next request now that we never have to worry about which uses acid accessing the site ever again so this that my talk intro intersections thank you all for coming out but wait a 2nd has to work how does it stick around I mean I thought it was stateless the reals makes using sessions really easy and that's great but it's also a little bit dangerous for a long time I treated session but a database they didn't have to set up I didn't understand sessions but I didn't really mean to because they were magic cash that I can always depend on sometimes depend on and that's sometimes that sleepiness and I hated using sessions and how media that unreasonably frustrated with section stuff doesn't work when you see Section exceptions the session bonds or missing data for user why is that in my 1st web programming job a
lot of people didn't have accounts and so we had these sessions a lot the and I cause so many problems with them no pointer in confined get this user exceptions those like 10 times as often as any other action that reprimanded more than once for the problems that cause transactions so this is what I did I
didn't understand it so I just what i was already doing harder you know the code I wrote wasn't working it the could working that's OK the holders right you no no
checks everywhere it the that didn't work I try to avoid them you know sessions are terrible what's not use them ideals make user log on every page of the great but then I got a little bit more mature and I realize that this problem wasn't gonna go away so instead I spend the time to really understand sessions at a deep level and construct a mental model them that work after a while I started to be able to write code that avoided a lot of these problems in the 1st place the nice thing is to understand sessions
we really don't get too complicated really this is what we want we wanna know about a user we wanna know about them securely so that nothing can mess with that data everyone allowed until they leave when they stop using the site we don't really need to keep that date around anymore all we need is some way through user's browser to coordinate with the rails that and make everything connect up this
problem the problem of not being would keep track of information about users I people realizes the thing pretty earlier and as more people want to use the web and especially by things on the web because money people developers needed a way to keep track of things like shopping carts and user preferences
knowledge OK literally about passing all the needed along with every request to the URL that that's not too far off more we the doing it those friends on your although it's easy to see that it's easy to lose them and it's easy to think that you have another option of web browser makes a request to a server it sends and headers along with that request some information about that request so browser sensing user data along with the rest of the headers so the server could see it once the server solid data headers it can use that it could change it I can send new data back to the browser the browser Internet modified copy back to the server and is gonna be invited back and forth change as they needed to the this idea the
idea to use a header that would be automatically sent to the browser this scheme of Netscape in the early nineties and that state called the special headers Cookies and about a year later it was supported in IEEE so that even 20 years ago we had a deal with that but anything about this
is that the server really don't have to manage any of the state at all this state is managed with the 1st order the browser and managed by the browser the so how these cookies work what would they look like let's see make a request to Google to your browser or because the the slides through program I curl when you will send you the
page it also sensors and HP headers no like that metadata about a request and is 1 1 0 when you focus on right now this 1 when go returns a page it also sends a rather that 2nd he would you rather see that it stores it along with information about which server came from in this case google . com we that so that the next time you request a web page from Google your browser will send headers like this if we put the side by side you can see it's that exact same cookie the next time your browser at school the that way your browsing your server have some shared piece of information they have that connection they can keep the conversation going and not have to reproduce themselves to each other every single time now all cookies have a few different parts they have data which is the information that your server wants to remember and their metadata which the browser cares about which determines how and when the should be sent to a server this 1st part of the part of the market for the cycle and is the data when you use a certain object and rails it storing data in that part and it's really get out of that part the rest of it is all metadata for example you can get cookies expiration date in this case after september 7 the browser once and this cookie anymore which that the server will have access to the data inside equity anymore if you don't set expires date the cookie will usually disappear as in as the browser closes called session cookies because they last for 1 browser session and then get deleted when you close the browser sometimes in distorted browser memory not actually persisted workers you really need to cookies that have
expired they are sometimes called Common cookies because the last until dataset not automatically cleared when you close the browser the sites can't
read each other's cookie data so I in goggle . com mobile outcome this cookie would be sent the with pattern subdomain you can go a little bit further you can go on to sub directories and subdomains which is especially helpful if you end up running multiple apps run by multiple users on a single domain might they did have pages er WordPress is a leading got there but that Google outcome is the same thing as Google from its cigarette habit because older browsers so care about it the no new set of domain it also includes all sub domains so here the cookies valid for Google a common all subdomains drydock Google likable all that stuff and there's also some extraction significantly is like the only those over a little bit later on but you just come here to learn about get hungry before lunch what is all this have to do with sessions all sessions are built using cookies speakers but these are pretty reliable way to keep track of users without having keep track of brands so the better you understand cookies if you can understand cookies at a deeper level it would be much much much easier to understand sessions and how they work and how they'll you will see a minute just like a hash you can build way more complicated things on top of cookies but out of the box there pretty limited the a single cookie can hold only a single value the need a separate wiki for every key value pair and because all the information is on the user side on the browser side you can't necessarily trust what they did you like what is stored user name is adequately the server would send this to your browser then you go your browser's wiki database and change it that's your rather and this cookie the server and all of a sudden you can nested arrays data because the server doesn't know any better like it can only be to trust us now this isn't any safer than having to neural like we saw before so how's rules around these problems was dig into an example here we have a pretty simple controller Action it takes whatever's in France name like whatever name brand and put in the session under section in this way we should be all season session created so that so we get back you can see the worsening the name just into the controller again our control is going to take that name brand put into the session and then hopefully at that section back and that's maybe what we see over there so you can see the real store the session under a single key like a single cookie this session myopically and if you search the sample code base recession my out you'll find an initializer such and start our the machines that option will change which key your session data stored under and also break all your old sessions in the process so not necessarily great idea but you can certainly do it now what was the cookie
like is that we maybe have the data in there and that's because we can really tell it's totally unreadable and so we can right they want but it's going to be too successful the hazard do that what is real data why is pretty easy to answer the value looks like that so that users or anybody else can mess with the wrong keys In modern versions of rails session cookies or sign and that means if anybody tampers with them they become invalid and also encrypted so that nobody can even see the data stored inside but as I can stop us but I get into this cookie and see what's inside now
all real that have a secret key you these things OK they constantly gonna get without and the key is also used for all the encryption real does which is like of investor we gonna get and that includes in signing parties and real gives you some default of first-generation defaults to circuit he's for Devon test you generate new ones interaction with Rick secret when I boots rails puts the secret key in the key generator here Rails application that the generator I don't bother like radius down I have good later on however weeks later on but you can see we use that key generator that real that application that key generator at the top to create some secrets and we use that secrets to create an encryptor object this encryptor object is the same kind of thing that we used to encrypt and decrypt cookies so with this encryptor object we have the bottom here we should be able to decode so we can case that big giant string of encrypted text into this ad encryptor objects and so we get looks like this on right so why is that some what turns also figure that it set aside another initializer this cookies serializer you can also use the symbol Marshall if you'd rather usury Marshall but most of the these on it's the default it's also even useful if you're like trying to share these between abstinence and other languages because every language uh chances on this point so we know now we know that real stores all the session data inside a single cookie we know that it does this by trade introduce on which gives us the opportunity to put multiple keys and values inside a single market the we know that real signs encodes the cookie so can't tamper with it or look at it and we know that the session key in serializer can both be configured to be something different you want to so now we can see that the cookie actually does contain that name parameter we passed without them and what we should be overseen now it is if we stop parsnip we passes cookie instead we should be able see this data come from the session data and not from the Brown and so it's check that out here we pass that
big blob of encrypted cookie back to rails and it should remember who we are without a parameter is seeking we dropped the parameter off of the Ural upon and so we see and we did not have any problems this is exactly the sort of thing the browser would be doing in this case to store that data across multiple requests so step by step can everything the other the browser and server and server stores data in this section rails turns that session energies on it includes the dates on and signs that and in a sense cookie back to the browser in that set the header the browser and stores it along with the fact that came from your Rails app that so that the next time you get your real that the browser was equity back but rails will verify the crypt intermittent that session hash that everybody can use it's like friends passing every page but man automatically so that you don't have to think about finally reals can change the data and send it back to the browser which will overwrite the previous KyTea and they can just keep passing on data back and forth
but the passing cookies back-and-forth was all there was to sessions there be no reason to call sessions I mean you just to say this cookie this 1 user session cookie like it's just the same thing but it isn't always right
remember higher browsers and that cookie along with every single request overheads start stories from data inside equity like what happens at the store forming PDF instead your like the full text of Moby Dick for some reason every request your server would include that for me the data even if you're certain care about it right now in future didn't read they're not request so cookies are limited you can only put for by data in there if you store more than that you're get exception this action dispatched cookies Cookie
overflow exception which also happens to be the most delicious of
all the rails acceptance but even for K is a whole lot
bigger than most each peer requests and mean most requests are only a couple hundred bytes this like 10 times that size so if you care about performance you probably don't even close that for women but with needed to store more data than that insiders actions How can you figure cookies small but make sessions they both thing about how your already dealing with users if you're cut the story User you're probably stories right Ian and announced on the e-mail address and married answering a full name in the area of storing the list of car atoms in there you're destroying the user ID and you use that idea to look up other information the database layer on but about people who don't have an account they don't have a user ID so you can do this they can generate a random idea and you can store that could be like this then you can use that idea in the exact same way to using user ID to look up information from the database later on it's not really use don't see should probably call something different sign in this case the session ID so now we have 2 different options for storing data persistently across multiple requests you can store the data right inside the cookie or in-store store reference that inside the cookie and stored there actually the someplace else like inside a database note that 2nd option look like let's say that just like the rest of our data we wanna use Active record store session data and let's say we call session was destined to create branding section what would rails have to do in order to store this active record well rails could generate a new random session ID that has something to look it up with it could turn the session passion into a string so that you don't have to have like separate columns for everything you could possibly from the session just stop at all 1 string and put it in a single column would say the ID on that data to a row in your database so you can look up later and it would return the idea with Set-Cookie so that the next time your browsing your site you can use that idea to look up the session data and your session hatchback full cycle of an action 1st will change recession store the Active Record Store which is a gem like then we'll add some did the session using curl again remember when we pass the name parameters takes another name but in the session and this time was very short string returned so that big mess of encrypted sign data that 864 9 string is at the end so that the mass and that comes from if you look inside a database you'll see a session ID alongside some encoded data and you'll notice that the session idea and the string returned the browser match and that's how use that I need to look up the browser data are the session data later on when your browser send back cookie data back to the site the remembers who we are again without passing a bronze this is how that works it grabs the session of the cookie it looks up the session ID in your database it pulls the data this assertion with that idea the transform the data back into recession patch you can even store sessions in men catching is among the your like promoting anywhere else and they all pretty much all the same process your cookie is now just a session ID in your app is that idea to look up the rest of the information in regular session store Istituto rack find sessions how to create new sessions right session data and the lead sessions by many methods and real includes a simple cache storm that uses you rails cash to store sessions and they're really really simple and good example follows this is something that you're interested in I'm all the links that minutes at the end that's really just a power rails as recessions the Conference strategies it uses there's the cookie store strategy and is the everything else strategy no matter what restoring some data inside the cookie because you have to it's the way the rather keep the relationship with the server but while stored stores all the data and separately the other methods to store reference data inside activities and they can store the data hardly wants like in database on disk memory wherever but
now we have a choice to make because we have a few different ways to store sessions this is an important 1st to make because changing sessions stores is not an easy thing to do the so which 1 should you choose she choose the cookie store that cash store built in the rails or the datastore of storing
sessions data in cookies is by far the easiest way to go you need to do any extra infrastructure set up I just have worked on a box it's also nice because it sinks with user lifecycle and by that I mean why users visiting your site it's active when user stops using your site that they never visitors I again you have no clean up to do because the cookies on the browser side not server side no other methods can guarantee that and cities and clean up the but also limited you can only store for data deployed only go anywhere near that and it's also more horrible certain kinds of attacks which are going to later on but the store work for you so you have 2 options in 4 sessions in a database or you can store them in your Rails cash now you might already be using something like memcached catcher partials or some might think aresponse data that kind of thing if you are already using a rails cash and this is pretty easy to it's already set up for you you have to do any more extra infrastructure work earlier that kind of stuff you also don't have to worry I worry about your session growing out of control because most good caches are going to effects stuff when you stuff comes in it's fast because the cache is slow he probably have bigger problems to solve the but is also not perfect you're sessions near cached data are when the fighting for space and if you don't have memory you could be facing a ton of early by cache misses an early expired sessions if you ever need to reset your cash like what's the operated on rails in it like a big sweeping change right beside and it is 1 of the white everything and start over you can't do that without also when you're sections still this is how we can store data our main outcome site and it's worked pretty well for so far with those carrier that you 108 around until legitimately expires you probably we keep in some sort of database whether that's like raesser whatever using fractal record or something else the story sessions inside a database has some other problems sessions will get cleaned up automatically so you have to go through and delete all sessions on your own we also have to know higher databases go work on a full session like are using addresses sudden storm is it going to try to keep all of your session data and this is your habit memory for that or is in a start swapping so hard you can't SSH and fix it technique no something were careful about when you create such data or you fill your database with user sessions like for example if you accidentally touch the session on every single request when Google like cross your site they could be creating hundreds of thousands of useless sessions never going be hit again and only a bad time no most of these problems that happen super frequently but they're all things you need to think about if you started at that session data some permanently after pretty sure you will run into any the cookie stores limits for the stores my favorite you don't need to set it up and it's not a headache maintain catchphrases database I see is more choice of how much you when you make ends how much you worry about actually expiring at sessions early I treat session data is pretty temporary I can program pretty defensibly around sessions so the cash or works well for me to my personal preferences start is a cookie store 1st then cash store than datastore store the now 1 of the examples we sessions for
identifying users and that's actually more common things you you sessions for and that also makes it is to produce a target for hacking the that means on top of the principal key-value pair to make up cookies sessions is a lot of extra stuff that somebody needs to worry about in order to keep your pretty secure that I thought about how the Real Server trust your appeal can has to because it's the only thing you have to go on and that means that somebody else can be your session cookie the real server has no idea no way to tell that they're not actually you know lots of public Wi-Fi networks you can pretty easily see on other people's network traffic and so if you're sending cookies to an insecure is over an insecure network to insecure servers some grab your cookies and pretend that they're cookies as
became a pretty big deal I a couple years ago I went and I Gaia Butler released a proof of concept called fire sheet how that would grab cookies over open Wi-Fi networks and take this out double click on somebody in your instantly logged in as them that's scary right I know this book to have this happen to them and the only way
to really prevent this is to run your site over aged yes and that way all of your cooking data all your session data is secure along with the rest of your Internet traffic on a rail siding turn some pretty easily there's an extra infrastructure so that you have to do the I believe you flip this think forces l equals true in the direction of the and with free SSL certificates Watson this whole ecosystem building up around them I think now supporting SSL on all paid diners there's really not a great excuse to run a site without a selling more at the force the cell on rails will automatically and this accurate you could use to secure at you what this means is that at your cookies will no longer be sent to H P. at particle sites it's only when the send aged yes it works just the same way as if you were trying to send a cookie to a different domain but something
a Wi-Fi connection is and the only way to steal some these cookies it is JavaScript can also that is if you
rule you can use add document a cookie to read what companies and anybody else angle that can run jobs dependable can also read Google cookies and send them to whatever server they want now my
space is problem their example of the same as this is by the example of a lot of things but this was really fantastic so that's aII you they have scripting vulnerabilities all over the place it was really easy yet JavaScript a flash and on your profile I wanted that you can grab information about any of people that are that your page like name profile your L. account idea like stuff I'm guessing you probably could even logged in as them but nobody that I knew figure that part out
rails protects you from lotteries attacks automatically by stating your HTML and rails also marks that session cookies as each the only by default what that means is that Wikipedia is marked as h the only in it's only going to be accessible to your server the browsers not gonna make it accessible JavaScript anymore so that helps with a lot of things but that's not enough became interested users like C 1 music store and your customers can earn credits by songs the Boston article saying forcing science drops conversion rate so no more sign-ups was put everything in the sections that seems breaks in cell abuses gets this brilliant idea but just in you probably said we were arguing over this real signs the cookies so you can tamper with it this case you actually have to tamper with it imagine a cookie was encrypted you can actually get into this something a song sending this could you 400 credits you respond with a new copy that has 3 have agreed to do it your user ignores the equity and send the old 1 again perform regrets now I have infinite immigrants because it's never knew about but this 1 does really have an easy fix you can store a unique number in the session and then check to make sure that you never you never more than once i which is not really the much like everything do or you can switch to a data store a cache store which doesn't we have this problem because all that is from the server side but the idea is just not with the state in the cookie to begin with so we have databases for for storing as Canada that is a somewhat more interesting facts but there's a whole lot more and I'm a big big fan of real security i'd have for learning more about this kind of thing of willing to that in the notes also now it might seem like there's a lot to think about around cookies and sessions but the few good rules of thumb that i've picked up over the years that Kennedy problems to
the 1st is prepare for the session to disappear at any time and this happens because sessions are on the user's computer that's a problem because that means you have absolutely no control over when they clear the cookies are when they switch devices or any of that stuff so keep in mind every time user session the session might not be there anymore program defensively because it's going to happen and if you're not prepared for it can can cause big problems later on when you're not seeing the data you expect the 2nd is don't store actual objects in your sections so would this be a bad idea what's the store
cotton in the section that has the title the quantity and later on your name title to name because frankly titles a terrible name for car and I have no idea who came up with that this is broadly were great for you and then you probably don't even have a car and in your session in that moment but then many should production part an old sessions are going to try to turn new card atoms but from that data into a Cadillac commuter no longer exists everything
will explode now I personnel firstly taken down
large chunks of site because this problem and I know I'm not the only 1 I've seen this happen many times it happens you really only have 2 options enable terrible 1 is you can reverse the change which probably is going to work because now you have people with old part items and you can't items in the sections and say you can try to come up with some grand unified part of the deal of both the whole time sites falling down and is on fire at that time or you could just say we're gonna start from clean slate going to white session data and run the lottery out lose all the data so I should have was the mom over here and this will allow Bavaria objects are the more likely this is the happen this never shows up in Devon test because you probably aren't using sessions in the same way that test is you on production it's the ultimate work some and will write everything so just don't do it prefer storing references to objects Object ideas in section not the objects themselves and finally be deliberate
about what user session for only user session what makes a lot of sense because sessions are so easy it's really easy for them to become a dumping ground of random data and that's when things start to go really wrong while the worst was ever investigated sort of like this we ship something and we all this and so I started to see exceptions coming from what seemed like a completely random party up the like a lot of session bugs we can be brought locally and we couldn't divide it remotely after adding a bunch of logging we added discovering that some code we deleted a long time ago use the same name for something this session is something we just recently shipped we had to completely different pieces of data that were something on each other and causing problems and it turned out that neither of those things need to be in the session we put in this session because was convenient to meanwhile role whole new database table for them mechanism the cost is way more dead time and expense some of our users and would then just to do it right in the 1st place just like code if you don't use sessions for something that can cause a problem Caesar with intent even you follow these best practices those things are going go it is well so how do you start budding when you're not seeing what you expect this trick
I've ever learned tell me divide any kind of problem is to isolate the problem area as quickly as possible and I mean is a function
getting the right input you probably don't only going higher than that as a function sending the right output you'd expect given its input you probably undergoing lower and you just keep getting those closer and closer until you really narrow in on the place of scores in the problem the best tools I've found providing such issues are all about showing you what my service sending and what my servers receiving the
higher the area using something like a roller post menopause and in your web development yes that's just many many people so these are great tools for debugging session issues you can see the session data server sending any concern arbitrary sessions back to the server and see how a response the if Crowe post
menopause are telling you that your servers working OK you can usually assume that the problem of the browser not sending something you expect or something else that's that's through going on and providing weird Internet problems and item proxy is my favorite tool so at
MIT and proxy it's a little server that sits between your browser near out and it shows you all the network connections that go on between the 2 of c conceal list of network requests you can dive into each of these things and that start to see the request headers response headers all I can think do it in see all the real stuff that's going back and forth which is really great at helping to understand the problems and even just last week and I was money session race condition or we had Ajax I request that were something on session data and with MIT and proxy I was able to within about a half hour construct an actual timeline of how these requests for going through when they're coming back and how they were conflicting with 1 another so I'm a big big benefits tool if your browser is assigning cookies
correctly attend the domain settings and you're you're wrong of this is really easy to mess up it's also really hard to test and because in that mode you probably not running the entire the inner structure of your production website of and it's also would be to but your session could you're cooking it up if you can see what it's so if you think of the sessions I have the beginnings of a jam that you can install them over here include the German run rails consul inside a real that you can paste in your put the strings and the corrected using the rails and key generator an odd things all the stuff that happens to a from all this we can kind of see that
sessions are quarter a modern web and by modern an instance like 1995 so modernization only runnin problems of session data it might seem like they're bigger complicated the flaky the frustrating like we
saw session isn't that big of a thing sessions are based on a pretty simple primitive no single key a single value and the metadata and on that foundation you build new features bit by bit and piece by piece 1st to serialize the
data so you can store of value circuits for more data into a single and you encrypted to avoid tampering with it or use a cookie values are referenced data somewhere else sessions debating complicated but really the core of the built out of a few simple parts that all can be combined together and this is my
favorite things about solvable element is that it's all just coat and things that seem super complicated like dead or sessions are held when even works they were all built by somebody they were built for a reasonable to solve a problem and you understand the problem is and how they were built they're all at the core understandable we usually begin to these things when we have problems with them and that stress and confusion and makes the scene completely insurmountable but in the end they almost always turn out to be way more simple than you'd expect the next time you get and really precedence of innocent work don't be like me skip straight that last phase spend some time and force yourself to learn a term that frustration into a mystery to solve and begins the pieces into a small enough to understand FIL
transform bugs that seem confusing random an unfair in some new and exciting piece of knowledge you can use for the rest of your program in Korea
and here reason we learn something new and exciting or want talk programming or really anything else I would love to talk with you might notice is here use it I will you know I respond everything let me know if you're ever in Seattle and look it up with you and at last link up there if you're right 1 thing down from this and write that down it's link to resources for the talk with the slides gem to decoding concessions and some other nodes that you quite fit in and some useful such related links so it looks like I'm up and administer so for some questions if anybody has them on and and and so they're more deflect them some great way at all think is emitted into the time thank her if the
UN Charter should