Sessions and Signin Failure

A session is a semi-permanent connection between two computers, such as a client computer running a web browser and a server running Rails. We’ll be using sessions to implement the common pattern of signing in, and in this context there are several different models for session behavior common on the web: ‘‘forgetting’’ the session on browser close, using an optional ‘‘remember me’’ checkbox for persistent sessions, and automatically remembering sessions until the user explicitly signs out.1 We’ll opt for the final of these options: When users sign in, we will remember their signin status ‘‘forever,’’ clearing the session only when the user explicitly signs out. (We’ll see in Section 8.2.1 just how long ‘‘forever’’ is.)

                 It’s convenient to model sessions as a RESTful resource: We’ll have a signin page for new sessions, signing in will create a session, and signing out will destroy it. Unlike the Users resource, which uses a database back-end (via the User model) to persist data, the Sessions resource will use a cookie, which is a small piece of text placed on the user’s browser. Much of the work involved in signin comes from building this cookie-based authentication machinery. In this section and the next, we’ll prepare for this work by constructing a Sessions controller, a signin form, and the relevant controller actions. We’ll then complete user signin in Section 8.2 by adding the necessary cookie-manipulation code.