Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Devise - Invalidate user session if the same user logs in from a different browser/machine

Tags:

ruby-on-rails-3

devise

I have a scenario where i need to restrict users from having only one active session at a time. Mine is a rails3 application and uses devise for authentication. I'm interested in keeping only the latest user session active. i.e., if a user logs in while there is another session active for the same username, i want to inactivate the older session and allow the recent one. Is there a way, in devise, to get hold of user sessions and invalidate them?

like image 811
Kalarani Avatar asked Sep 09 '11 09:09

Kalarani

2 Answers

You can track a particular user's session by storing a unique token specific to that user in the database.

Create a migration to add the field for storing the token. I assume the devise model is User.

class AddSignInTokenToUsers < ActiveRecord::Migration
  def change
    add_column :users, :current_sign_in_token, :string
  end
end

Add the following code to application_controller.rb

class ApplicationController < ActionController::Base
  before_filter :invalidate_simultaneous_user_session, :unless => Proc.new {|c| c.controller_name == 'sessions' and c.action_name == 'create' }

  def invalidate_simultaneous_user_session
    sign_out_and_redirect(current_user) if current_user && session[:sign_in_token] != current_user.current_sign_in_token
  end

  def sign_in(resource_or_scope, *args)
    super
    token = Devise.friendly_token
    current_user.update_attribute :current_sign_in_token, token
    session[:sign_in_token] = token
  end
end

sign_in(resource_or_scope, *args) is a devise hook that will be called every time the user logs in.

invalidate_simultaneous_user_session will log out the current user if another instance of the current user logs in. This will ensure that only one session is active for a user at any instance of time.

invalidate_simultaneous_user_session filter should be skipped for the user login action to update the newly logged in user's token. I am not happy with using a Proc to skip the filter based on controller name and action. If you have already overridden devise's sessions_controller, then include skip_before_filter :check_simultaneous_user_session inside that controller and you can get rid of the Proc!

Hope this helps..

like image 190
dexter Avatar answered Jan 04 '23 01:01

dexter

For updated devise for rails 4, you may change the code according to this

http://pastebin.com/p6mvC8T3

like image 31
James Tan Avatar answered Jan 03 '23 23:01

James Tan
Sign in to Comment

Related questions

How do you generate the form for an existing model in Rails?
How to unstub Mocha mock?
.where vs find. ActiveRecord::Relation NoMethodError
Rails threaded private messaging
rspec and undefined method on model
Unable to run cap deploy:setup on ec2, the task `deploy:setup' does not exist
no such file to load -- readline (Load Error)
Where to configure Rails 3 cache_store?
How to write a rails query that returns the count by Month?
What's wrong with the gemspec?
Is ruby really an fully object oriented language?
how to iterate inside a simple_fields_for?
number_to_human with currency
Pusher in Rails: "Unknown auth_key" - server side not triggering events
set authentication token in http header
gmap4rails - can't find file underscore / Gmaps is not defined
Failed to build native extension
Rails 3 Server Startup problem with fastercsv
Using gems in Rails 3
How do you crop a specific area with paperclip in Rails (3)?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!