Rails Login Reset Session

Question

Is it best practice to call reset_session when a user successfully signs in and to call it again when a user signs out? Are there any side effects/problems to doing this?

Answer 1

That's really going to depend on how you store things in session and how you want the security to operate.

Reset session will drop everything from the user's session, so if they hop back into the login screen and sign back in but still had (for example) a shopping cart stored to their session, you'll clear that which may be undesirable.

If you're not storing any data you feel the users might want to hold on to, I know of no reason clearing the session before processing a login attempt would hurt at all, an on sign outs I recommend it.