Closed chika-kasymov closed 1 year ago
Rails session will always be stored (encrypted & signed) under a single cookie. The session_key_prefix
modifies the keys that are used by Rodauth within the session data.
By default, Rodauth stores the logged in account ID under session[:account_id]
, but with session_key_prefix "seller"
it will store it under session[:selleraccount_id]
. BTW, that's why you typically want to end the prefix with an underscore, e.g. session_key_prefix "seller_"
, so that the session key ends up being session[:seller_account_id]
😉
If you've used Devise, it uses Warden which stores account data in separate subhashes inside session data, so all session data for the seller
account would be saved to session["warden.user.seller.key"]
. Rodauth takes a different approach, where it saves session data at the top-level, so that's why you need a prefix if you want to differentitate them.
The remember cookie is different, because that one really is stored as a separate cookie, and is independent from the Rails session cookie.
Oh, I see now. @janko thanks for the explanation!
In that case, my issue is not about the session key. Basically, if I log in with a new configuration (ex: seller
) the previous one (ex: customer
) logs out automatically. I want to be able to login to both configurations simultaneously. Is it possible to achieve?
Yes, that's another difference in Rodauth, it resets the whole session on logout, to prevent session fixation attacks. However, that means that session data for other accounts are also cleared. Warden is a bit smarter, and it resets the session only when you told it to logout all users, otherwise it just deletes the session data for the specific account.
At the moment, I'm not sure how you could get the same behaviour with Rodauth, since it's not straightforward to get all session keys. I would try this:
class RodauthBase < Rodauth::Rails::Auth
configure do
clear_session do
methods.grep(/_session_key$/).each |session_key_method|
remove_session_value(send(session_key_method))
end
end
end
end
However, then you're vulnerable to session fixation attacks. Pinging @jeremyevans in case he wants to chime in 🙂
Your suggested config helped to solve my issue. I edited it a little bit following a Github comment in one of your PRs :)
clear_session do
methods.grep(/cookie|session/).grep(/_key$/).each do |session_key_method|
session.delete(send(session_key_method))
end
end
But I'll note about the session fixation attacks. Thanks!
FYI, since the remember cookie is not part of the session, attempting to delete it from the session won't have any affect. Unless I'm mistaken, it should already be deleted automatically on logout.
You're correct. I deleted the cookie
part.
I created two configurations with separate databases. Example:
But for some reason, the session has always this format:
_rails_app_name_session
. I'm not sure if it's related to this library or to therodauth
. Does anybody have a similar issue?