GitHub User: travishaynes
After reading up on Rails sessions, I added
"One line of code will protect you from session fixation. The most effective countermeasure is to issue a new session identifier and declare the old one invalid after a successful login. That way, an attacker cannot use the fixed session identifier. This is a good countermeasure against session hijacking, as well."
I just set this up using CanCan for authorization. Works great!
I also added a check in the session controller to make sure the user isn't already logged in when visiting the login path:
redirect_to root_path, :notice => 'You are already logged in.' if session[:user_id]