堆栈内存溢出
  简体   繁体   English

如何使 devise 应用程序上的用户的 session 无效?

[英]How can I invalidate a session of a user on a rails devise app?

 原文  2022-04-19 10:13:32       ruby-on-rails/ devise

问题描述

I want to create an endpoint that will invalidate user session. I understand that devise has destroy_user_session route that will destroy the user session. But how can I do that for a specific user from an admin point of view?我想创建一个将使用户 session 无效的端点。我知道 devise 具有destroy_user_session路由,该路由将破坏用户 session。但是从管理员的角度来看,我如何为特定用户执行此操作? Where does devise store session data? devise把session的数据存放在哪里?

1 个解决方案

解决方案1
 2 已采纳  2022-04-19 12:58:15

Where does devise store session data? devise把session的数据存放在哪里?

Devise will use the session store that your Rails app is configured to use. Devise 将使用您的 Rails 应用配置使用的 session 商店。 The key used is determined by what you pass to devise_for in your config/routes.rb file - which is known as the Devise mapping.使用的密钥由您在config/routes.rb文件中传递给devise_for的内容决定 - 这被称为 Devise 映射。 See Devise::Controller::Rememberable .请参见Devise::Controller::Rememberable

The default session storage in Rails has been ActionDispatch::CookieStore since at least Rails 4 so the session is actually "stored" by passing an encrypted cookie back and forth between the client and server.至少从 Rails 4 开始,Rails 中默认的 session 存储是 ActionDispatch::CookieStore,所以 session 实际上是通过在客户端和服务器之间来回传递加密的 cookie 来“存储”的。 This is far more performant then the alternatives.这比替代方案的性能要好得多。

Thus you can't actually "invalidate" or destroy other users sessions while using the cookie store beacuse its not something you actually control.因此,您实际上不能在使用 cookie 存储时“使”或破坏其他用户会话,因为它不是您实际控制的东西。 You can simply invalidate all the users cookies by changing the application secret which will cause Rails to reject any existing session storage cookies and issue new ones.您可以简单地通过更改应用程序密码使所有用户 cookies 无效,这将导致 Rails 拒绝任何现有的 session 存储 cookies 并发布新的。

If you want to be able to implement such a feature you need to change the session storage backend into server side storage such as Redis or ActiveRecord which will actually let you find a session for a specific user and delete it.如果您希望能够实现这样的功能,您需要将 session 存储后端更改为服务器端存储,例如RedisActiveRecord ,这实际上会让您找到特定用户的 session 并将其删除。 Before doing so you should read up as much as possible about how sessions work in Rails and the basics of how Devise together with Warden handles user authentication as you'll need a solid grasp of that to implement the feature.在这样做之前,您应该尽可能多地阅读Rails 中的会话如何工作以及 Devise 如何与Warden一起处理用户身份验证的基础知识,因为您需要扎实地掌握这些知识才能实现该功能。 The performance implications should also be considered as it will impact your entire application.还应考虑性能影响,因为它会影响您的整个应用程序。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何在Rails / w Devise中注销时使特定会话无效? - How to invalidate specific session at logout in Rails /w Devise? Rails / Devise 如何将 session 与用户联系起来? - How does Rails / Devise relate a session to a user? 如何将未经确认的用户的电子邮件传递给会话(Devise)? - How can I pass email of unconfirmed user to the session (Devise)? 如何通过 session id 找到 devise 用户? - How can I find a devise user by it's session id? Rails + Devise:如何在登录时检查是否记住了用户 - Rails + Devise: How can I check if a user is remembered when signing in 如何使Rails作者资源成为设计用户? - How can I make a rails authors resource a devise user? 如何从 Rails 控制台注销设计用户? - How can I sign out a devise user from the Rails console? 如何检查用户是否使用 rails devise 登录? - How can I check if user is signed in with rails devise? Rails:设计:如何编辑用户信息? - Rails: Devise: How can I edit user information? 如何使用devise的“ warden”对与使用devise的rails应用程序位于同一堆栈中的机架应用程序进行身份验证? - How can I use devise's “warden” to authenticate a rack app in the same stack as the rails app that uses devise?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM