At some mystery point X with this rails app hosted on heroku, a logged in user would suddenly be logged in as another user. I am using the devise gem for authentication.
This has occurred for 2 users that we know of. I am currently tracking down what the root cause of this issue could be.
What I need to do right now is invalidate all devise sessions in order to force users to login again. After a user logs in, the problem seems to go away.
I tried reseting my secret_token but I was not forced to login again. I then scaled my web dynos down and then back up. I also restarted the app. All trying to get the secret_token change to reset the sessions.
Any other ideas?
Changing your session_token will work if you're storing your sessions in cookies (default).
But if you're storing in active_record, then you can delete all the sessions by:
rake db:sessions:clear
then: BAM! no more sessions.