This cookie-based session store is the Rails default. It is dramatically faster than the alternatives.
Sessions typically contain at most a user_id and flash message; both fit within the 4K cookie size limit. A CookieOverflow exception is raised if you attempt to store more than 4K of data.
The cookie jar used for storage is automatically configured to be the best possible option given your application’s configuration.
If you only have secret_token set, your cookies will be signed, but not encrypted. This means a user cannot alter their user_id without knowing your app’s secret key, but can easily read their user_id. This was the default for Rails 3 apps.
If you have secret_key_base set, your cookies will be encrypted. This goes a step further than signed cookies in that encrypted cookies cannot be altered or read by users. This is the default starting in Rails 4.
If you have both secret_token and secret_key base set, your cookies will be encrypted, and signed cookies generated by Rails 3 will be transparently read and encrypted to provide a smooth upgrade path.
Configure your session store in config/initializers/session_store.rb:
Rails.application.config.session_store :cookie_store, key: '_your_app_session'
Configure your secret key in config/secrets.yml:
development: secret_key_base: 'secret key'
To generate a secret key for an existing application, run `rake secret`.
Note that changing the secret key will invalidate all existing sessions!