If your asking if another user modifies an active_record that you have stored in a users session. Don’t do that.
The general consensus is don’t store them there. Rails sessions make no attempt to keep in sync with the database, it just serializes the object into the session, it doesn’t hit the db again. The way that a lot of people look after this is to store just the id into the session, then have a lazy loading method to get the record.
As an example, the restful_authentication plugin tracks the current user with these two methods
# Accesses the current user from the session. def current_user @current_user ||= (session[:user] && User.find_by_id(session[:user])) || :false end # Store the given user in the session. def current_user=(new_user) session[:user] = (new_user.nil? || new_user.is_a?(Symbol)) ? nil : new_user.id @current_user = new_user end
There have been many blogs and threads on this list dealing with this issue. A quick google should turn up some answers.