注册后Rails devise无法启动会话
[英]Rails devise does not start session after registration
问题描述
I am running a rails 4 app with devise 3.2.2 . 
我正在使用devise 3.2.2运行Rails 4应用程序。
When a user confirms the registration from the email link, the session does not start. 当用户从电子邮件链接确认注册时,会话不会开始。 The user has to go through auth again. 用户必须再次通过身份验证。
Expected: Confirming registration results in a fully authed session on the webpage. 预期的:确认注册会导致网页上的会话经过完全认证。
in the model 在模型中
user.rb user.rb
devise :database_authenticatable, :registerable, :confirmable,
:recoverable, :rememberable, :trackable, :validatable
session_store.rb: session_store.rb:
Thumbs::Application.config.session_store :cookie_store, key: '_my_session'
While this might be obvious to many people, I am struggling a bit with this. 尽管这对于许多人来说可能是显而易见的,但我为此付出了一些努力。 Can somebody give a helping hand? 有人可以伸出援手吗?
1 个解决方案
解决方案1
0 2014-10-11 21:12:43
This used to be what happened, but it was before Devise 3.1. 这曾经是发生过的事情,但是那是在Devise 3.1之前的事情。 Since Devise 3.1, the approach is for users not to be logged in automatically after clicking on the link in their confirmation email. 从Devise 3.1开始,该方法是让用户单击确认电子邮件中的链接后不自动登录。 This is more secure as it guards against the case where somebody else gets hold of their email (or they just misspell their address when registering and it happens to be an address belonging to someone else so their confirmation is successfully sent to the wrong person) and the other person can then use the link to immediately log in to their account. 这是更安全的方法,因为它可以防止其他人抓住他们的电子邮件(或者他们在注册时只是拼写了错误的地址,而该地址恰好是其他人的地址,因此他们的确认成功发送给了错误的人),并且然后其他人可以使用该链接立即登录其帐户。
For 3.1 only, there was an option to allow the old behaviour. 仅对于3.1,存在允许旧行为的选项。 You could set a flag config.allow_insecure_sign_in_after_confirmation to enable the automatic sign-in after clicking on the confirmation link. 您可以设置标志config.allow_insecure_sign_in_after_confirmation以在单击确认链接后启用自动登录。 However, this was a temporary feature and was removed in 3.2. 但是,这是一个临时功能,在3.2中已删除。 You can see the commit which removed it here (which also removed looking up un-hashed confirmation/lock tokens, which was another change made to improve security): 您可以在此处看到将其删除的提交(也删除了查找未哈希的确认/锁定令牌,这是提高安全性的另一项更改):
https://github.com/plataformatec/devise/commit/6b3b0c5e8c57253d3d178def678ccc26e66cd630 https://github.com/plataformatec/devise/commit/6b3b0c5e8c57253d3d178def678ccc26e66cd630
Here's the blog post which announced the change to the more secure approach for 3.1: 这是博客文章,宣布对3.1的更安全方法进行了更改:
http://blog.plataformatec.com.br/2013/08/devise-3-1-now-with-more-secure-defaults/ http://blog.plataformatec.com.br/2013/08/devise-3-1-now-with-more-secure-defaults/
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.