Randy Girard

session[:current_user] = @user => BAD!

I’m sure most of you already would know this, or use restful authentication that handles it for you. However, if you have some custom setup where you are loading a user object, and then storing it in session, slap to you! Basically what I am talking about is doing this in your login method:

session[:current_user] = @user

Instead you should do:

session[:current_user] = @user.id

And then in your application controller, setup a before filter like so:

def set_current_user
  @current_user = User.find(session[:current_user])
end

One main reason not to do that would be if you had to update some user information. If you had it stored in session, then the user would have to log out and log back in for the changes to take effect. This is of course a basic rough draft, but you get the idea.