Unauthenticated User Flow - danmee10/rhyme-ninja GitHub Wiki

I'm going to take a break from testing for a moment to address some of the issues I discovered while writing model specs.

Currently, a new User record is saved to the database every time the root of the application is hit, and a new Rhyme record is saved every time someone clicks on the 'Enter the Ninja' button on that page. These actions do not require an account, and therefore represent a vulnerability to anyone wishing to fill up my database with nonsense.

I still want anonymous users to be able to use the Ninja, and I want whatever they create with it to be available to them in their account if they create one during the same session. I don't want to save this information in memory for the same reason I don't want it persisted to my database, so the only option I can see is to store it on their browser in a cookie.

###Memory Considerations

I realize that this is pushing the limits of what cookies should be asked to store, but in this case, I don't think there is much danger. I am using Rails' default session_store, :cookie_store, which stores the session data on the client, so I do have to keep that in mind. As of now, there is only one session variable for anonymous users which is only 306 bytes. I will restrict the character count of the anon rhymes that get created to 700 characters bringing the total char count to 1400 (since the original text must be stored as well as the rhymed text) plus what ever the title is. This should be well within the 4kb limit. I will also be explicitly expiring these cookies once the user authenticates, so that this burden is only on browsers with anonymous users, who have minimal access site functionality anyway.

If this method becomes insufficient, I will probably try Redis, but I’ll cross that bridge when I come to it.