RailsCasts Pro episodes are now free!

Learn more or hide this

Travis Haynes's Profile

GitHub User: travishaynes

Site: http://www.hi5dev.com

Comments by Travis Haynes


After reading up on Rails sessions, I added


to SessionsController#create

"One line of code will protect you from session fixation. The most effective countermeasure is to issue a new session identifier and declare the old one invalid after a successful login. That way, an attacker cannot use the fixed session identifier. This is a good countermeasure against session hijacking, as well."



I just set this up using CanCan for authorization. Works great!

I also added a check in the session controller to make sure the user isn't already logged in when visiting the login path:

  def new
    redirect_to root_path, :notice => 'You are already logged in.' if session[:user_id]