Reputation: 1213
Devise rails session ID
It turns out that getting the session ID (with session[:session_id]) after login with Devise (authentication gem) (either in session_controller or in after_sign_in_path_for) does not return the same thing before and after redirecting for the first time, after logging-in.
Is anyone able to explain me why ? Is there any way to get the final session ID before redirecting ?
Upvotes: 3
Views: 2015
Answers (1)
Reputation: 1213
FYI answer from Gee-Bee (https://github.com/Gee-Bee):
https://github.com/plataformatec/devise/issues/3706
Is anyone can explain me why ?I'll try. In short:
Devise has nothing to do with it Warden has something to do with it - it's setting :renew option on session, after setting user (proxy, spec) Actual action takes place in in Rake::Session::Abstract#commit_session which updates session_id (bycalling destroy_session and set_session implementented in ActionDispatch::Session::CookieStore)
Is there any way to get the final session ID before redirecting ?Sure it is. Bear in mind that Warden is changing session_id after authentication to prevent session fixation attacks, so in overriden devise controller you should manually change session_id in addition to disabling :renew session option. This will do:
session.options[:id] = session.instance_variable_get(:@by).generate_sid session.options[:renew] = false
Upvotes: 1
Related Questions
- How can I find a devise user by it's session id?
- Devise Remember Me and Sessions
- Session variable Rails
- Rails and Devise - Access session data
- Accessing the new session_id in devise after sign_in
- Preserving Rails 4 Devise Session Id Before & After Sign In
- Unique Session ids in Rails
- Rails devise: user_signed_in? and current_account
- Rails devise session
- Rails devise Sessions Controller