skip to Main Content

Scenario: As an Administrator I need to invalidate a user’s session (log them out) after I update the user’s password. This is in accordance with best practices as per https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#Renew_the_Session_ID_After_Any_Privilege_Level_Change

I am using Devise and I saw here https://stackoverflow.com/a/45756884/664675 there is a config to log the user out: config.sign_in_after_reset_password = false

However, I have enabled this config in my devise.rb but the user remains logged in. Not sure why that is?

I am also using Redis as the session_store

  Example::Application.config.session_store :cache_store, 
    key: '_example_session', 
    secure: true

Is it feasible to delete the particular user’s session store from Redis upon Password reset by the Administrator? And if so how could I find their particular session key within Redis?

2

Answers


  1. the flag sign_in_after_reset_password does not relate to logout user at all, sign_in_after_reset_password = false imply that in case a user update his account password by himself then do not automatically sign-in his account again, and that logic happen only on PasswordsController#update.
    So you as admin try to change password of another user in a custom controller, of course it’s not logout user no matter the value of sign_in_after_reset_password is.

    devise use gem warden to logout user (in other word: destroy user session) and warden base on request session not base on database, that mean there’s no way an admin can get another user’s session to reset, so you can not force logout another user by only devise, you need to handle this feature outside devise (such as add session to user table or a devise hook something like timeoutable)

    reference: https://github.com/heartcombo/devise/issues/5262

    Login or Signup to reply.
  2. What you’re looking for is the setting sign_in_after_change_password which you should set to false (it defaults to true). The method has a slightly confusing name – it means "should we sign the user in after changing their password" instead of "should the user have to sign in after changing their password".

    References:

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search