Devise: Reset session on log out #91
Assignees
Comments
eoinkelly
added a commit
that referenced
this issue
Jun 3, 2020
The default devise behaviour does not invalidate session cookies after logout so if an attacker can retrieve a cookie from a session they can use it even if the user has logged out. We have used variations of this change successfully on a number of Rails apps in production. References * heartcombo/devise#3031 * http://maverickblogging.com/logout-is-broken-by-default-ruby-on-rails-web-applications/ * https://makandracards.com/makandra/53562-devise-invalidating-all-sessions-for-a-user Fixes #91
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Rials by default keeps a persistent session that the request/response cycle can add session data to. In order to make sure that we do not retain potential user data (outside of the warden user ID) in cookies, we should reset the session when the user logs out.
This will cause the entire session to be reset.
The text was updated successfully, but these errors were encountered: