Rails Login Reset Session

Question

Is it best practice to call reset_session when a user successfully signs in and to call it again when a user signs out? Are there any side effects/problems to doing this?

Answer 1

I consider it good practice to reset the session when a user logs in. That way, malicious individuals can't sniff out their session cookie before a client's connection is encrypted and still use it after they use the sign in form over https. Try:

temp = session
reset_session
session.reverse_merge!(temp)

This way, session gets the new values generated by reset_session, but any other session variables remain intact.