I'm building a rails 4 app with JRuby on Torquebox, and running into a weird issue with the sessions. I'm using the devise gem to handle authentication which works well, except that as per the rails security guidelines, I'm trying to reset the session when a user successfully logs in.
I've created a Warden hook which handles this for me, which looks like this
Warden::Manager.after_set_user :event => [:set_user, :authentication] do |record, warden, options|
if options[:scope] && warden.authenticated?(options[:scope])
request = warden.request
Rails.logger.debug "session - #{request.session}"
# backup = request.session.to_hash
# backup.delete(:session_id)
request.reset_session
# request.session.update(backup)
Rails.logger.debug "session - #{request.session}"
end
end
This method is definitely being called which is great, however the two outputs are both the same, and the session is not being reset at all. I'm using the TorqueBox session store, setup like
# session_store.rb
RtsBackend::Application.config.session_store :torquebox_store, {
key: '_RtsBackend_session'
}
# config.ru
use TorqueBox::Session::ServletStore
And it seems to be working as TorqueBox has inserted data, and session data from devise is working, but I just can't seem to clear it.
I was under the impression that devise did this automatically on login, but if it is then the same issue is occurring and rails isn't clearing it.
Any suggestions?
So after digging around, and speaking with one of the core TorqueBox developers, it turned out to be a bug. In rails 4, they changed the way sessions were reset which didn't involve clearing its contents.
Thanks to @bbrowning
with this commit it should now be sorted pending a final test once the fix is pushed :)