Secure hidden variables in rails?

When I've worked with drupal, where you might normally pass variables through the client via a hidde开发者_如何学编程n field on a form, there was an option to use a 'secure hidden field', which meant that the hidden values you were passing through were done via the authenticity token and maintained server side, thereby preventing the user seeing/modifying them.

Is this something that's possible with rails? If so, how is it done?

The Rails session object will accomplish what you're trying to do here. First, you should configure your Rails stack to use the ActiveRecord or Memcache sessions. This will drop a session cookie on your user's web browser, with an ID containing no data. This ID relates to a session object containing information about your user. In code, you can set this like:

 session[:myvar] = "data I want to store"

This data will never be sent over the wire, but available on the server side at any time, simply by accessing the session store like:

puts session[:myvar]

This is all done transparently to you by the Rails stack - no need for you to manually set or reference the cookie.

To further secure the session, you can require the session token to be sent over SSL. More information here:

http://guides.rubyonrails.org/security.html#what-are-sessions