It turns out that getting the session ID (with session[:session_id]
) after login with Devise (authentication gem) (either in session_controller
or in after_sign_in_path_for
) does not return the same thing before and after redirecting for the first time, after logging-in.
Is anyone able to explain me why ? Is there any way to get the final session ID before redirecting ?
FYI answer from Gee-Bee ( https://github.com/Gee-Bee ):
https://github.com/plataformatec/devise/issues/3706
Is anyone can explain me why ?
I'll try. In short:
Devise has nothing to do with it Warden has something to do with it - it's setting :renew option on session, after setting user (proxy, spec) Actual action takes place in in Rake::Session::Abstract#commit_session which updates session_id (by
calling destroy_session and set_session implementented in ActionDispatch::Session::CookieStore)
Is there any way to get the final session ID before redirecting ?
Sure it is. Bear in mind that Warden is changing session_id after authentication to prevent session fixation attacks, so in overriden devise controller you should manually change session_id in addition to disabling :renew session option. This will do:
session.options[:id] = session.instance_variable_get(:@by).generate_sid session.options[:renew] = false
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.