Menu
I want to invalidate the session when a user logs out using Devise, i have a callback to catch when a user logs out, for more protection against session hijacking.
class ApplicationController < ActionController::Base
def sign_out(*args)
super(*args)
reset_session
end
end
My understanding was that this would remove the session info stored on the server side, therefore invalidating it.
However I can still login using the session id I got before signing out. Am I misunderstanding how it works? I only want to invalidate just this session, not all of them.
I am using the default for session_store.
820
To invalidate a session manually, call the following method: session. invalidate(); All objects bound to the session are removed.
Session invalidation means session destroying.So if session is destroyed,it indicates that server cant identify the client which has visited in previous.So now it creates a new session id for that client.
After some googling and meditating, I came apon this question, which could be modified to fit my needs,
all I did was
application_controller.rb
def sign_out(*args)
current_user.update_attribute(:current_sign_in_token, "")
super
end
which will invalidate the sign_in_token, thus invalidating the session, so hijacking the session id will still get you kicked out.
153
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With