I’m looking at implementing some form of anonymous user system in Rails. I need to let people do things (creating records, looking at what they’ve created, etc), without actually creating an account. Once they create an account, everything persists without risk of losing it by clearing cookies or something.
Right now, I’m thinking it’s pretty straightforward. Have an is_anonymous field in the User model, and use something like this to access the currently logged in user:
def find_user session[:user_id] ||= create_new_anonymous_user.id end Assuming the session persists for some reasonable period of time, and the session cookie doesn’t expire, that should keep everything running smoothly.
However, there is this piece of me that is convinced that I’m missing something security-related. Has anyone done something like this before? Am I missing something super-obvious?
Thanks!
The only real security issue is going to be if these anonymous users can perform critical operations.
Your system means that anyone with the specific cookie will gain access to the site. Not necessarily a big deal, but it really depends on the type of information your users are providing.
I have done something similar in the past (in my case I was tracking progress through a site and when the user logged in or registered, I attached the ‘guest’ data to their account. When you do the switch, make sure you delete the anonymous record to prevent further access and it should be fine.