https://stackoverflow.com/questions/23597718
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianWhen you login a user(Devise model name User), a key "warden.user.model_name.key" is created which in your case is "warden.user.user.key".
For example:
{ warden.user.user.key => [[1], "$2a$10$KItas1NKsvunK0O5w9ioWu"] }
where
1 is the id of the logged in user.
$2a$10$KItas1NKsvunK0O5w9ioWu aka long-random-string is the partial encrypted password of user with id 1.
You can verify this by going on rails console and executing
User.find(1).encrypted_password
## => "$2a$10$KItas1NKsvunK0O5w9ioWuWp4wbZ4iympYMqVCRmmvTGapktKqdMe"
UPDATE
could you tell me a bit more about this partial encrypted password? why is it partial and not full?
To answer your above question in the comment, Devise stores the partial encrypted_password in the session by invoking authenticatable_salt method. Devise stores the partial encrypted_password as it is more reliable rather than exposing the full encrypted_password in the session(even though its encrypted). That's why the first 30 characters[0,29] of the encrypted_password are extracted and stored in the session.
# A reliable way to expose the salt regardless of the implementation.
def authenticatable_salt
encrypted_password[0,29] if encrypted_password
end
You can see the code for authenticatable_salt here.
where/when is it used? is it used by Devise, or by Rails, or both?
It is used by Devise for authentication purpose to verify whether or not a particular user is logged in. Ideal use-case would be, how a particular Rails application keeps track of how a user is logged in when a new page is requested. As HTTP requests are stateless, it would be impossible to tell that a given request actually came from that particular user who is logged in? This is why sessions are important as they would allow the application to keep a track of the logged in user from one request to another until the session expires.
