Sign in through GitHub

Please read for an updated status on RailsCasts:

Learn more or hide this

Travis Haynes's Profile

GitHub User: travishaynes

Comments by Travis Haynes

Avatar

After reading up on Rails sessions, I added

reset_session

to SessionsController#create

"One line of code will protect you from session fixation. The most effective countermeasure is to issue a new session identifier and declare the old one invalid after a successful login. That way, an attacker cannot use the fixed session identifier. This is a good countermeasure against session hijacking, as well."

http://guides.rubyonrails.org/security.html

Avatar

I just set this up using CanCan for authorization. Works great!

I also added a check in the session controller to make sure the user isn't already logged in when visiting the login path:

ruby
  def new
    redirect_to root_path, :notice => 'You are already logged in.' if session[:user_id]
  end