[英]Devise rails session ID
It turns out that getting the session ID (with session[:session_id]
) after login with Devise (authentication gem) (either in session_controller
or in after_sign_in_path_for
) does not return the same thing before and after redirecting for the first time, after logging-in. 事实证明,在登录后,在使用Devise(身份验证gem)(在session_controller
或after_sign_in_path_for
)登录后获得会话ID(带有session[:session_id]
)不会在第一次重定向前后返回相同的结果,在。
Is anyone able to explain me why ? 有人能解释我为什么吗? Is there any way to get the final session ID before redirecting ? 有什么办法可以在重定向之前获取最终的会话ID?
FYI answer from Gee-Bee ( https://github.com/Gee-Bee ): 仅供参考,来自Gee-Bee( https://github.com/Gee-Bee ):
https://github.com/plataformatec/devise/issues/3706 https://github.com/plataformatec/devise/issues/3706
Is anyone can explain me why ?
I'll try. 我会尽力。 In short: 简而言之:
Devise has nothing to do with it Warden has something to do with it - it's setting :renew option on session, after setting user (proxy, spec) Actual action takes place in in Rake::Session::Abstract#commit_session which updates session_id (by
calling destroy_session and set_session implementented in ActionDispatch::Session::CookieStore) 调用在ActionDispatch :: Session :: CookieStore中实现的destroy_session和set_session)
Is there any way to get the final session ID before redirecting ?
Sure it is. 当然是啦。 Bear in mind that Warden is changing session_id after authentication to prevent session fixation attacks, so in overriden devise controller you should manually change session_id in addition to disabling :renew session option. 请记住,Warden会在身份验证后更改session_id,以防止会话固定攻击,因此,在禁用的devise控制器中,除了禁用:renew session选项之外,您还应该手动更改session_id。 This will do: 这样可以:
session.options[:id] = session.instance_variable_get(:@by).generate_sid session.options[:renew] = false session.options [:id] = session.instance_variable_get(:@ by).generate_sid session.options [:renew] = false
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.