Sinatra: Using Sessions to Stay Logged In and Manage User Access
The internet has become one of the
As one of the last of the Gen Xers, I am old enough to remember the end of the analog era and young enough to have had a front row seat to watch the technological revolution of the last 30 or years. That revolution has caused massive disruptions in the way we live today, some of it good and some of it bad. While there is no doubt that technologies like the smart phone and social media have been a significant factor in the drastic changes we have seen; it would be hard to argue that there has been a single piece of technology that has been more revolutionary than the internet. After all, the internet is the backbone for all of the technologies we enjoy today and without it your smart phone wouldn’t be so smart.
One of the things that makes the internet so enjoyable is it’s convenience. Whether you are shopping online, communicating on social media or doing any of the other endless possibilities of things you can do on the internet. The ability to stay logged into websites without the need to sign in every time you navigate to a new page that site, is one the most essential parts of a site’s user experience.
As a web developer we need to design our sites in way that allows the user to stay logged in, not only to improve the user experience but also to help us grant and restrict a user’s access to a site. We do this through the use sessions.
By default sessions are disabled in Sinatra and must be enabled.
Because sessions work with cookies, data from the website that is stored on your local web browser, it is important that you also secure the session by setting it to secret. Although I am not covering it here, it is important to know that there are additional steps can and should be taken to secure the session secret. I’m not covering them in this article because the level of security will vary depending on your application.
Sessions are a very powerful tool and can be used to render data specific to the user or can be used to apply general changes to a web application that aren’t user specific but still need to change based on the status of whether a user is sign in or not. One example of the latter scenario is how the a website might render its navigation bar. When you visit a site for the first time, or if you are visiting a site you are not logged into, you are typically greeted with the option of logging in or creating a new account. Once you login those options are generally replaced with the option to log out once. After all, it could be rather confusing to a user if the site were to display the option to login if they were already logged in. In this situation we don’t need to track which user is logged and a simple method like ‘logged_in?’ can be used to determine if there is a user logged. That method can then be paired with an if statement to change how the website renders the navigation bar.
While there are plenty potential areas where we don’t need to know who the user is, there are a lot of ways that we can enhance our user’s experience with our site by tailoring the site to them. This can include things as simple as changing the color scheme of site or important as restricting unauthorized persons from altering another user’s data. This is typically done by verifying that the session’s user id matches the user id that the data belongs to.
In this example above, the vehicle belongs to a user and we are verifying that the user_id of the owner of the vehicle matches the id of the user that is currently logged in. Thus preventing anyone other than the vehicle owner from making changes to the vehicle.
Lastly, when the user is ready to log out of our site we simply clear their session with the code below and now their session has ended.
