Rails Login Reset Session

后端未结

关注

 4  1246

难免孤独 2021-02-02 13:00

Is it best practice to call reset_session when a user successfully signs in and to call it again when a user signs out? Are there any side effects/problems to doing this?

4条回答

梦谈多话 (楼主)

2021-02-02 13:31
A lot of the answers here haven't aged well due to the Rails API changing so I'll just leave one here that works as of Rails 5.0 at least.

As others have noted the Rails Security Guide recommends calling reset_session on login to avoid session fixation attacks.

You may want your session cleared on login but if you just want to change the session id and keep everything else (i.e. no side-effects) you can do it like this:
```
def mitigate_session_fixation
  old_values = session.to_hash
  reset_session
  session.update old_values.except('session_id')
end
```
0 讨论(0)

查看其它4个回答
发布评论:

提交评论
- 加载中...