Make the time check to invalidate the session more defensive

This would throw an error if session login_time and last_action_time were not set, be more defensive and default to current time if those values aren't set.
Sorcery · Mar 9, 2018 · 1a0d8a4 · 1a0d8a4
1 parent e6bccba
commit 1a0d8a4
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/lib/sorcery/controller/submodules/session_timeout.rb b/lib/sorcery/controller/submodules/session_timeout.rb
@@ -63,7 +63,7 @@ def sorcery_session_expired?(time)
  def sorcery_session_invalidated?
  return false unless Config.session_timeout_invalidate_active_sessions_enabled
  return false unless current_user.present? && current_user.try(:invalidate_sessions_before).present?
- time = session[:login_time] || session[:last_action_time]
+ time = session[:login_time] || session[:last_action_time] || Time.now.in_time_zone
  time < current_user.invalidate_sessions_before
  end