-
Notifications
You must be signed in to change notification settings - Fork 228
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add an opt in invalidate_active_sessions! method to session timeout #110
Conversation
Spike on adding a configurable `invalid_active_sessions! method to the session_timeouts module. Configurable, but expects an `invalidate_sessions_before` timestamp column on user. Does not invalidate the session if `invalidate_sessions_before` is not set meaning that if it is deployed it won't log out currently logged in users.
This looks pretty good. Can you update the readme? |
@fangbyte @Ch4s3 I am not 100% sure if I'm right, but I'm afraid this concept cannot work. Let me explain it in 2 parts:
The only way to fix I can think of is to clear the
|
@arnvald I don't think you are logged out after the current session, since the |
@fangbyte you're absolutely right, I misunderstood that part. The code will work as intended. Thank you for explanation! |
…ns!` There was concern that because `invalidate_sessions_before` is never cleared, there may be an issue where sessions would be cleared immediately after login. Add a spec to verify that sessions logged in after the `invalidate_sessions_before` timestamp can login and make additional requests without being cleared.
This method never should have been private as it was meant to be part of the public API if enabled
This would throw an error if session login_time and last_action_time were not set, be more defensive and default to current time if those values aren't set.
I pushed two additional commits fixing small issues:
|
Awesome! @fangbyte thanks so much for your patience! |
Add a configurable
invalid_active_sessions!
method to the session_timeouts module. Configurable, but expects aninvalidate_sessions_before
timestamp column on user. Does not invalidate the session ifinvalidate_sessions_before
is not set meaning that if it is deployed it won't log out currently logged in users.Update the gem version if necessary. Because this is opt in, it should not be a breaking change.
@arnvald