How can I reset all devise sessions so every user has to login again?

Question

At some mystery point X with this rails app hosted on heroku, a logged in user would suddenly be logged in as another user. I am using the devise gem for authentication.

This has occurred for 2 users that we know of. I am currently tracking down what the root cause of this issue could be.

What I need to do right now is invalidate all devise sessions in order to force users to login again. After a user logs in, the problem seems to go away.

I tried reseting my secret_token but I was not forced to login again. I then scaled my web dynos down and then back up. I also restarted the app. All trying to get the secret_token change to reset the sessions.

Any other ideas?

Have you tried session timeout?Its one of Devise modules – kasperite May 06 '13 at 20:02 — kasperite, May 06 '13 at 20:02

score 26 · Answer 1 · answered May 06 '13 at 20:29

26

You should be able to change your session cookie name to invalidate all sessions, which lives in config/initializers/session_store.rb

YourApp::Application.config.session_store :cookie_store, key: '_change_me_session'

answered May 06 '13 at 20:29

djcp

699
1
6
6

2

This is the only solution that worked (using Heroku + Rails + Postgres) – Onichan May 29 '16 at 22:13
This did not work for me. Had to use `rake tmp:clear;rake tmp:create` – Jeff Davenport Feb 18 '20 at 22:38
In Rails 5, it was the solution for us. Only change the name of the cookie and re-start the app. – matiasmasca Jul 13 '21 at 12:14

score 18 · Accepted Answer · answered May 06 '13 at 20:37

18

Changing your session_token will work if you're storing your sessions in cookies (default).

But if you're storing in active_record, then you can delete all the sessions by:

rake db:sessions:clear

then: BAM! no more sessions.

answered May 06 '13 at 20:37

Jesse Wolgamott

40,197
4
83
109

The session store was switched to active record. So the rake:db:sessions:clear fixed the issue. – JB. May 06 '13 at 20:56
6

no matter how i try it, i'm getting a "don't know how to build taks".. Any suggestions ? – Mini John May 05 '14 at 10:41
1

@TheMiniJohn literally "taks" ? – Jesse Wolgamott May 05 '14 at 14:13
3

it should be `rake tmp:clear` or `tmp:sessions:clear, tmp:cache:clear` – Zitao Xiong Nov 06 '15 at 07:09
do `rake -T` and look for something resembling one of the above commands for your specific application. – Jon Kern May 09 '17 at 17:25
I've tried to run this but i get the error `Don't know how to build task 'db:sessions:clear'` – fedest Apr 03 '18 at 20:23

score 6 · Answer 3 · answered Jun 16 '17 at 13:50

6

Update on the accepted answer, now it is

rake tmp:clear

rake -T ... rake tmp:create # Creates tmp directories for sessions, cache, sockets, and pids

answered Jun 16 '17 at 13:50

lab419

1,129
13
16

Thank you! This is the answer that worked for me. I'm on Rails 4.2 with Devise and `db:sessions:clear` is not available as a task. It took about 5 minutes, but `tmp:clear` did it. – jlleblanc Jan 31 '19 at 14:11
This is the only one that worked for me. Changing cookie session key did not work – Jeff Davenport Feb 18 '20 at 22:37

score 4 · Answer 4 · answered May 06 '13 at 20:07

4

If your sessions don't store any other critical information, you could clear the sessions:

rake db:sessions:clear

answered May 06 '13 at 20:07

Matchu

83,922
18
153
160

score 1 · Answer 5 · answered May 06 '13 at 20:01

1

Devise has a thing called timeoutable can you work with that?

answered May 06 '13 at 20:01

catsby

11,276
3
37
37

score 1 · Answer 6 · edited May 23 '17 at 11:54

Check out

  module ClassMethods
    Devise::Models.config(self, :timeout_in)
  end

I'm just guessing that you could do something like:

User.all.each do |user|
  user.timeout_in 1.second
end

But I'm not sure if this only manages new sessions.. and not existing ones?

Actually this is overly complex.. just try:

User.all.each do |user|
  sign_out user
end

See this post Log out all user with Devise

to do something like this from the console you will need to check out this example and adjust it for your needs

How to sign in a user using Devise from a Rails console?

score 0 · Answer 7 · edited Jun 20 '20 at 09:12

0

sign_out_all_scopes(lock = true) ⇒ Object

Sign out all active users or scopes. This helper is useful for signing out all roles in one click. This signs out ALL scopes in warden. Returns true if there was at least one logout and false if there was no user logged in on all scopes.

source: http://www.rubydoc.info/github/plataformatec/devise/Devise/Controllers/SignInOut

edited Jun 20 '20 at 09:12

Community

1
1

answered Mar 10 '16 at 11:48

plombix

396
3
13

score 0 · Answer 8 · answered Nov 08 '17 at 05:48

When cookie store is used, we have to regenerate the app secret_token which is used to encrypt the cookies.

file to configure secret_token: config/initializers/secret_token.rb

bundle exec rake secret Can be used to generate a new secret token.

https://www.tigraine.at/2012/08/03/how-to-expire-all-active-sessions-in-rails-3

score 0 · Answer 9 · answered Nov 02 '21 at 22:21

0

Try this on your controller actions.

  def index
    reset_session
  end

answered Nov 02 '21 at 22:21

Jin Lim

1,759
20
24

How can I reset all devise sessions so every user has to login again?

9 Answers9

sign_out_all_scopes(lock = true) ⇒ Object

Linked

Related