とりあえず

./actionpack/lib/action_controller/base.rb のソレを確認してみます。以下にコメント引用。つうかこれから以下を解読。

== Sessions

Sessions allow you to store objects in between requests. This is useful for objects that are not yet ready to be persisted, such as a Signup object constructed in a multi-paged process, or objects that don't change much and are needed all the time, such as a User object for a system that requires login. The session should not be used, however, as a cache for objects where it's likely they could be changed unknowingly. It's usually too much work to keep it all synchronized -- something databases already excel at.

You can place objects in the session by using the session method, which accesses a hash:

session[:person] = Person.authenticate(user_name, password)

And retrieved again through the same hash:

Hello #{session[:person]}

For removing objects from the session, you can either assign a single key to +nil+:

removes :person from session
session[:person] = nil

or you can remove the entire session with +reset_session+.

Sessions are stored by default in a browser cookie that's cryptographically signed, but unencrypted.
This prevents the user from tampering with the session but also allows him to see its contents.

Do not put secret information in cookie-based sessions!

Other options for session storage:

* ActiveRecord::SessionStore - Sessions are stored in your database, which works better than PStore with multiple app servers and,
unlike CookieStore, hides your session contents from the user. To use ActiveRecord::SessionStore, set

MyApplication::Application.config.session_store :active_record_store

in your config/initializers/session_store.rb and run script/rails g session_migration.

うーん。

こんなの見つけた

      # This is the method that defines the application behavior when a request is found to be unverified.
      # By default, \Rails resets the session when it finds an unverified request.
      def handle_unverified_request
        reset_session
      end

これで grep してみたら良さげw
でも今日はこれで終わりというか朝練継続ということでorz