I'm using Devise with Ruby on Rails to develop a game.
Users are able to login and join the game.
When they first login, everything is fine - it shows that they are logged in as the expected person.
But very rarely I have noticed (both in real world use as well as once in testing) a situation that boggles me.
Suddenly one of the users "becomes" a different user. As if they had logged in as the other user. They have full access to their account, and Rails thinks that they have logged in as the different user. Everything such as "current_user.name" and "current_user.email" are all according to the other user, the one that they were not previously logged in as, and a user they have no permission to become.
I can't figure out where in my code this might be coming from. I don't want to post the entirety of my code here, so I was hoping for some brainstorming of how it would even be possible to cause something like this to happen in my code - or am I more likely looking at a devise bug where devise is screwing up the session it returns under certain race conditions?
The latter is somewhat scarier to deal with from a general security perspective for any site that uses devise, but I figure someone else would have seen this by now. So I figure it must be in my code - but nowhere in my code do I touch the session info, nor do I ever do anything weird like assign the current_user to anything.
To be very clear about what happens:
Any thoughts on what I might be missing?
My devise setup allows for email/password login as well as oauth login with Facebook and the like.
--
As requested, here is the devise migration:
--
class DeviseCreateUsers < ActiveRecord::Migration
def change
create_table(:users) do |t|
## Database authenticatable
t.string :email, null: false, default: ""
t.string :encrypted_password, null: false, default: ""
## Recoverable
t.string :reset_password_token
t.datetime :reset_password_sent_at
## Rememberable
t.datetime :remember_created_at
## Trackable
t.integer :sign_in_count, default: 0, null: false
t.datetime :current_sign_in_at
t.datetime :last_sign_in_at
t.string :current_sign_in_ip
t.string :last_sign_in_ip
## Confirmable
t.string :confirmation_token
t.datetime :confirmed_at
t.datetime :confirmation_sent_at
t.string :unconfirmed_email # Only if using reconfirmable
## Lockable
# t.integer :failed_attempts, default: 0, null: false # Only if lock strategy is :failed_attempts
# t.string :unlock_token # Only if unlock strategy is :email or :both
# t.datetime :locked_at
t.timestamps
end
add_index :users, :email, unique: true
add_index :users, :reset_password_token, unique: true
# add_index :users, :confirmation_token, unique: true
# add_index :users, :unlock_token, unique: true
end
end
There are multiple ways this can happen, obviously it's hard to tell from here what is going wrong. Since Devise is battle tested, I'd assume it's something you do, rather than device is doing (of course it is still possible that Devise has a bug, but more likely your code is buggy)
Do you have
Can you find a way to reproduce the error locally? Perhaps with a script that logs in as different users and checks that the user stays the same. What Server does it happen with? What Session Store do you use?
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With