As of Rails 4.0, the ActiveRecord Session Store , which saved session variables in the database, was deleted by "performance issues." But the functionality continues to work through a gem . Today Rails uses the Cookie Session Store .
ActiveRecord session store - The ActiveRecord session store is extracted to a separate gem. Storing sessions in SQL is costly. Instead, use cookie sessions, memcache sessions, or a custom session store.
Source: link
Translated:
ActiveRecord session store - The ActiveRecord session store has been moved to a separate gem. Storing sessions in the database is costly [in terms of performance]. Instead, use sessions based on cookies, memcache sessions, or a custom session .
In spite of this, I find references on the web saying that its use is still recommended (to avoid session hijacking , for example). The Rails security guide itself ( link ) seems to suggest this, though it does not name the gem in>.
After all, is it really advantageous to use the database to save session variables, such as the id of the logged in user, etc? Does the performance cost become noticeable?