Scenario: As an Administrator I need to invalidate a user’s session (log them out) after I update the user’s password. This is in accordance with best practices as per https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#Renew_the_Session_ID_After_Any_Privilege_Level_Change
I am using Devise and I saw here https://stackoverflow.com/a/45756884/664675 there is a config to log the user out: config.sign_in_after_reset_password = false
However, I have enabled this config in my devise.rb
but the user remains logged in. Not sure why that is?
I am also using Redis as the session_store
Example::Application.config.session_store :cache_store,
key: '_example_session',
secure: true
Is it feasible to delete the particular user’s session store from Redis upon Password reset by the Administrator? And if so how could I find their particular session key within Redis?
2
Answers
the flag
sign_in_after_reset_password
does not relate tologout
user at all,sign_in_after_reset_password = false
imply that in case a user update his account password by himself then do not automatically sign-in his account again, and that logic happen only on PasswordsController#update.So you as admin try to change password of another user in a custom controller, of course it’s not logout user no matter the value of
sign_in_after_reset_password
is.devise
use gemwarden
tologout
user (in other word: destroy user session) andwarden
base onrequest session
not base ondatabase
, that mean there’s no way an admin can get another user’s session to reset, so you can not force logout another user by onlydevise
, you need to handle this feature outside devise (such as addsession
touser
table or a devise hook something like timeoutable)reference: https://github.com/heartcombo/devise/issues/5262
What you’re looking for is the setting
sign_in_after_change_password
which you should set tofalse
(it defaults totrue
). The method has a slightly confusing name – it means "should we sign the user in after changing their password" instead of "should the user have to sign in after changing their password".References: