Sorcery with devise - Githubissues

NoamB / sorcery

Magical authentication for Rails 3 & 4

MIT License

2.31k stars 386 forks source link

Sorcery with devise #671

Open Paxa opened 9 years ago

Paxa commented 9 years ago

I find some problem when using sorcery and devise together. If I login with devise after login and logout with sorcery then device’s session will be destroyed

I'm using rails 4.1.5, sorcery 0.8.6, devise 3.4.1, activerecord-session_store 0.1.0

It caused by this code:

https://github.com/NoamB/sorcery/blob/master/lib/sorcery/controller.rb#L55

def logout
  if logged_in?
    @current_user = current_user if @current_user.nil?
    before_logout!(@current_user)
    reset_sorcery_session
    after_logout!
    @current_user = nil
  end
end

def reset_sorcery_session
  reset_session # protect from session fixation attacks
rescue NoMethodError
end

When we call logout - then all session data will be removed.

In my case I fix so:

def reset_sorcery_session
  session.delete(:user_id)
  session.delete(:return_to_url)
  session.delete(:last_action_time)
  session.delete(:login_time)
end

arnvald commented 9 years ago

Hi @Paxa,

thanks for report, I'm aware of issues with resetting session, it's on my list of things to review and fix. I was thinking about adding prefix to attributes that Sorcery sets in session, I just need to figure out how to do it so that developers can update their apps without logging out all the users.

TechRsch commented 9 years ago

Would this change allow me to run multiple Sorcery sessions on one OS image?

arnvald commented 9 years ago

@TechRsch I don't think so, this will just keep non-sorcery keys in session left untouched after user logs out. Still if user logs out, remember_me_token and remember_me_expires_at attributes will be set to nil. These are 2 separate issues on which I'm working, and which both I hope to resolve within the next few weeks.

brendon commented 6 years ago

Hi @arnvald, did you ever get anywhere with this one? :)

Ch4s3 commented 6 years ago

@brendon come join us on the new repo over at the new repo https://github.com/Sorcery/sorcery.

Unfortunately using Sorcery with Devise isn't a supported use case at the moment.

brendon commented 6 years ago

Thanks @Ch4s3, I didn't realised it had moved :) I use Sorcery in my main app but active_admin uses devise. So far this is the only conflict I've found :)

Ch4s3 commented 6 years ago

@brendon ahh good old active admin. If you file an issue over at the new repo, we'll take a look. A demo app might be helpful.