Sign in through GitHub

Please read for an updated status on RailsCasts:

Learn more or hide this

Travis Haynes's Profile

GitHub User: travishaynes


Comments by Travis Haynes


After reading up on Rails sessions, I added


to SessionsController#create

"One line of code will protect you from session fixation. The most effective countermeasure is to issue a new session identifier and declare the old one invalid after a successful login. That way, an attacker cannot use the fixed session identifier. This is a good countermeasure against session hijacking, as well."


I just set this up using CanCan for authorization. Works great!

I also added a check in the session controller to make sure the user isn't already logged in when visiting the login path:

  def new
    redirect_to root_path, :notice => 'You are already logged in.' if session[:user_id]