Closed janko closed 1 year ago
Sure, this looks fine. Just to make sure I understand the reasoning behind the change, the purpose of this patch is to clean up the session early, correct (it would timeout eventually without this change)? Note that if the verify account happens in a different browser than the create account, then you'll still have two sessions (this is expected when using active_sessions).
Yes, it's to clean the session early. I have session_inactivity_deadline
set to 14 days, so in my case it would take longer for the session to expire. But it's also possible to set both session_inactivity_deadline
and session_liftetime_deadline
to nil
, in which case I believe the duplicated session would never expire by itself (unless logging out of all sessions). And yeah, I expect to have two sessions when creating account in one browser and verifying it in the other 👍🏻
When verify_account_grace_period feature is logged in, when both
create_account_autologin?
andverify_account_autologin?
are set totrue
. This means that when creating account and then verifying it,#autologin_session
will be called twice. Since an active session is created on each#update_session
call, the user will end up with two active sessions, with the second one being the current one. We fix this by removing the existing current session (if it exists) before proceeding to update the session.