I had been using the cookie-based session until recently, then switched to using active_record_store (db) as it said:
# Use the database for sessions instead of the cookie-based default, # which shouldn't be used to store highly confidential information
in the session_store.rb file.
Everything works fine, but I don't really understand why it's still setting a cookie instead of just using the session db. Is that a normal behavior when using a database for session management?
I see the difference now - with the session_store db instead of the cookie, the cookie is a mere reference to the record in the db. So that makes it more secure than the cookie-based. But I still have a question about the life of the session record in the session db. It doesn't seem to get deleted when the session ends. Is there a method to do that with this class? Thanks!
you are suppose to deleted manually, you can create a rake task and set up a crontab.
thanks, radhames brito.
I was hoping it was done automagically somehow.. , but found a good
reference.. 
http://translated.by/you/rails-in-a-nutshell-chapter-2-action-controller/original/?page=2