Closed DavidMealha closed 4 years ago
It's somewhat buried in the documentation, but Rack offers support for dropping the session within rack.session.options
. I think this might be what you want to do if you want to delete the session:
request.env['rack.session.options'][:drop] = true
This is supported in redis-rack, the library that this one depends on to handle rack-based session management.
It's similar but I need to delete sessions across multiple devices.
In the meantime, I found out that I can access the correct session_id on Warden hook (Warden::Manager.after_set_user
) this way I can manage the active sessions of each user, in order to delete them all at once when necessary.
Hey 👋
Recently I have migrated my rails sessions in one of my projects from MySQL to Redis, while using this gem.
However, I want to have the ability to delete all sessions of a specific user (e.g: when a user changes password, logging out from all devices, disabling a user).
After some investigation I haven't managed to find a way to do it.
I thought of managing a separate set in redis per user with all the session_private_ids (because the key is based on the private_id) in order to know each ones to remove. The keys would be populated on login, but this doesn't work because the Rack::Session::Id I have access to during the request is renewed after login.
The list management would be more or less like this (ignoring the invalidation of old keys for now):
So, if there was the ability to allow the session_key in redis to have a user identified, that would be fixed.
Do you have any idea on this?
Thanks, David