rvalyi
commented
8 years ago the solution is to reuse the Rails or Sinatra/Rack cookie key when present instead. Because Devise and other auth plugin will take care to remove that cookie when logging out, so new users will not reuse a previous ooor session.
When used in a Rails app, the Rack proxy uses ooor_session_id as a session key (generally in the cookie) to store a few ooor session parameters (typically the user, DB and language to connect to Odoo, but eventually also the partner_id associated to the Devise user).
The problem is that on Warden logout (so with Devise), if no care is taken, ooor_session_id is not removed from the cookie, so eventually a new user connecting using the same browser would get the same Odoo user while it may not be the intent. This is a potential security threat.