I suggest you to take a look into sessions chapter of rails security guide- it answers your question in detail and will help you to understand how it works.

我建议您查看Rails 安全指南的会话章节- 它详细回答了您的问题，并将帮助您了解它是如何工作的。

By default rails uses cookies to store the session data. All data is stored in the client, not on the server.

默认情况下，rails 使用 cookie 来存储会话数据。所有数据都存储在客户端，而不是服务器上。

In Rails, session object is sent back and forth inside cookies.

在 Rails 中，会话对象在 cookie 中来回发送。

When you set session[:user_id] = 3inside of your controller action, the response sent from that action will have a header Set-Cookie: my-session-cookie. From now on browser will automatically send a header Cookie: my-session-cookieback to server on every request.

当您session[:user_id] = 3在控制器操作内部设置时，从该操作发送的响应将具有 header Set-Cookie: my-session-cookie。从现在开始，浏览器会Cookie: my-session-cookie在每次请求时自动将标头发送回服务器。

This is how my-session-cookie usually looks:

这是 my-session-cookie 通常的样子：

_Hello_session=BAh7B0kiD3%3D%3D--dc40a55cd52fe32bb3b84ae0608956dfb5824689

which translates into:

翻译成：

_Hello_session=<encrypted user_id=3>--<digital signature>

• Hellois the name of your Rails app.
• To prevent evil people from understanding a=bstring, it's encrypted.
• To prevent evil people from tampering cookies, digital signatureis used.

• Hello是您的 Rails 应用程序的名称。
• 为了防止邪恶的人理解a=b字符串，它被加密了。
• 为了防止邪恶的人篡改cookie，使用了数字签名。

Both encryption (and decryption), and signing (and verifying) are done using a server-side secret key secrets.secret_key_basestored in /config/secrets.yml.

加密（和解密）和签名（和验证）都是使用secrets.secret_key_base存储在/config/secrets.yml.