RailsCasts Pro episodes are now free!

Learn more or hide this

Travis Haynes's Profile

GitHub User: travishaynes

Site: http://www.hi5dev.com

Comments by Travis Haynes

Avatar
Travis Haynes on #270 Authentication in Rails 3.1 2011-09-16 23:42:11

After reading up on Rails sessions, I added

reset_session

to SessionsController#create

"One line of code will protect you from session fixation. The most effective countermeasure is to issue a new session identifier and declare the old one invalid after a successful login. That way, an attacker cannot use the fixed session identifier. This is a good countermeasure against session hijacking, as well."

http://guides.rubyonrails.org/security.html

Avatar
Travis Haynes on #270 Authentication in Rails 3.1 2011-08-17 14:19:02

I just set this up using CanCan for authorization. Works great!

I also added a check in the session controller to make sure the user isn't already logged in when visiting the login path:

ruby 
  def new
    redirect_to root_path, :notice => 'You are already logged in.' if session[:user_id]
  end