sorcery icon indicating copy to clipboard operation
sorcery copied to clipboard

Published 20 hours ago verified publisher icon Sorcery

session_timeout: make sure remember_me's before_logout hook gets called

Open jankoegel opened this issue 1 year ago • 1 comments

  • related with different solution: https://github.com/Sorcery/sorcery/pull/304

The Problem

  • if an app uses both the session_timeout as well as the remember_me submodule the following can happen:
    • even if a user's invalidate_sessions_before timestamp is set to now, their remember_me sessions will not be invalidated
    • reason: the remember_me cookie doesn't get deleted during the session_timeout submodule's validate_session
  • debug log that shows the flow of events without this PR: 
    -> VALIDATE SESSION
expired? false
invalidated? true
💣 RESETTING SESSION
reset @current_user
🍪 login_from_cookie
🎂 register_login_time
😱 assigning current user again

In the code

  • only logout calls before & after logout hooks: https://github.com/Sorcery/sorcery/blob/d9dc0bd80a3d5689398baea4489b14ed78e6c42d/lib/sorcery/controller.rb#L75-L78

  • remember_me uses a before_logout hook to clear its cookie: https://github.com/Sorcery/sorcery/blob/d9dc0bd80a3d5689398baea4489b14ed78e6c42d/lib/sorcery/controller/submodules/remember_me.rb#L22

jankoegel avatar Feb 14 '24 13:02 jankoegel