I’ve recently stumbled upon some design flaw in Rails applications. It looks like it is much more popular than I thought…
Session hash can store whole objects. Don’t do that. I’ve recently seen applications storing whole ActiveRecord objects in session. Why it is dumb idea?
First – with new Rails default storage for session are cookies in browser, so You get very low size limit (AFAIR 4 kB). Second (and this the real reason) – if Your schema will change, then all objects kept in session become invalid. The problem is that with new application code, those objects will be like guest from deep past. They will be created but they will miss new attributes – and when Your application will try to use some of them kaboom….
This is not only related to session hash – it is general problem with object serialization (and storing for long. Try to avoid Marshal, whenever it is not really required.