Reset devise session cookies on logout #96

eoinkelly · 2020-06-03T20:57:41Z

The default devise behaviour does not invalidate session cookies after logout so if an attacker can retrieve a cookie from a session they can use it even if the user has logged out.

We have used variations of this change successfully on a number of Rails apps in production.

References

Fixes #91

The default devise behaviour does not invalidate session cookies after logout so if an attacker can retrieve a cookie from a session they can use it even if the user has logged out. We have used variations of this change successfully on a number of Rails apps in production. References * heartcombo/devise#3031 * http://maverickblogging.com/logout-is-broken-by-default-ruby-on-rails-web-applications/ * https://makandracards.com/makandra/53562-devise-invalidating-all-sessions-for-a-user Fixes #91

eoinkelly added 2 commits June 4, 2020 06:49

Merge branch 'master' into reset-devise-session-cookies-on-logout

be9cd3a

eoinkelly requested review from Breccan, joshmcarthur, G-Rath, mattsinnock, CaraHill, OBaddeley, l-suzuki, JacobBriggsAckama, hopkincame, mischa-s, JamesYang76, lamorrison, Rabid-Dan and trevh-ack June 3, 2020 20:57

CaraHill approved these changes Jun 4, 2020

View reviewed changes

joshmcarthur approved these changes Jun 5, 2020

View reviewed changes

eoinkelly merged commit 76f4d71 into master Jun 5, 2020

eoinkelly deleted the reset-devise-session-cookies-on-logout branch June 5, 2020 03:27

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Reset devise session cookies on logout #96

Reset devise session cookies on logout #96

eoinkelly commented Jun 3, 2020

Reset devise session cookies on logout #96

Reset devise session cookies on logout #96

Conversation

eoinkelly commented Jun 3, 2020