You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The most effective countermeasure is to issue a new session identifier and declare the old one invalid after a successful login. That way, an attacker cannot use the fixed session identifier. This is a good countermeasure against session hijacking, as well. Here is how to create a new session in Rails: reset_session
If you use the popular RestfulAuthentication plugin for user management, add reset_session to the SessionsController#create action. Note that this removes any value from the session, you have to transfer them to the new session.
Hi,
Looks like
login
method resets and restores session. Butauto_login
method doesn't.I think
auto_login
method should too. Hou about? 👀Ruby On Rails Security Guide
sorcery/lib/sorcery/controller.rb
Lines 116 to 119 in 4485701
sorcery/lib/sorcery/controller.rb
Lines 37 to 64 in 4485701
The text was updated successfully, but these errors were encountered: