ruby - Pre-post login session id is not changing in rails 2.3.2 app? -
we build rails 2.3.2 app , has login/logout mechanism using active_record_store store session.
ruby 1.8.7 rails 2.3.2 server : apache (passenger 4.0.59) config.action_controller.session_store = :active_record_store
once user clicks on log out button, destroying session using rails reset_session function drop , create new session. after successful log out user redirect login page created session. again user login using username-password user information store in created session.
question?
how reset session after successful login (username-password) , store user info new session? want fix without device gem.
i tried executing reset_session function empty hash.
def login p session.session_id #7bb32e02c4495b192b233089b0d586c7 reset_session p session # {} p session.session_id # nil = authenticate(username, password) session[:app_id] = a.id end def logout #old session #5a4c229eba44d63058c50a23b104d6f6b6b981bb reset_session # new session #7bb32e02c4495b192b233089b0d586c7 redirect_to_login end
this improper session management vapt issue (security issue).
please me fix issue.
Comments
Post a Comment