Reputation: 2237
How to invalidate specific session at logout in Rails /w Devise?
I want to invalidate the session when a user logs out using Devise, i have a callback to catch when a user logs out, for more protection against session hijacking.
class ApplicationController < ActionController::Base
def sign_out(*args)
super(*args)
reset_session
end
end
My understanding was that this would remove the session info stored on the server side, therefore invalidating it.
However I can still login using the session id I got before signing out. Am I misunderstanding how it works? I only want to invalidate just this session, not all of them.
I am using the default for session_store.
Upvotes: 8
Views: 4738
Answers (1)
Reputation: 2237
After some googling and meditating, I came apon this question, which could be modified to fit my needs,
all I did was
application_controller.rb
def sign_out(*args)
current_user.update_attribute(:current_sign_in_token, "")
super
end
which will invalidate the sign_in_token, thus invalidating the session, so hijacking the session id will still get you kicked out.
Upvotes: 6
Related Questions
- How can I invalidate a session of a user on a rails devise app?
- Devise force logout for some users from Rails App
- How can I invalidate all of a single users sessions?
- How to devise destroy session and sign out from controller?
- Force user logout with Devise
- Destroy Session, Rails Devise
- Rails 3 + Devise: log out user after timeout
- Conditional sign out in Rails app using Devise
- How to destroy session ("logout") with token-authenticated users
- Rails: sign out logged in user on event