Skip to content

Commit

Permalink
Do not clear application session data on logout
Browse files Browse the repository at this point in the history 
Closes #34.
  • Loading branch information
@airblade
airblade committed Aug 1, 2023
1 parent 1455c00 commit 2e25c29
Show file tree
Hide file tree
Showing 5 changed files with 44 additions and 1 deletion.
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@

## HEAD

* Do not clear application session data on logout.
* Use 'email' type for email input fields.
* Document how to log out.

Expand Down
25 changes: 25 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -246,6 +246,31 @@ Send a DELETE request to `quo_vadis.logout_path`. For example:
button_to 'Log out', quo_vadis.logout_path, method: :delete
```

Note you are responsible for removing any application session data you want removed. To do so, subclass `QuoVadis::SessionsController` and override the `destroy` method:

````ruby
# app/controllers/custom_sessions_controller.rb
class CustomSessionsController < QuoVadis::SessionsController
def destroy
reset_session
super
end
end
```

Add a route:

```ruby
# config/routes.rb
delete 'logout', to: 'custom_sessions#destroy'
```

And then point your log out button at your custom action:

```ruby
button_to 'Log out', main_app.logout_path, method: :delete
```


### Two-factor authentication (2FA) or Two-step verification (2SV)

Expand Down
2 changes: 1 addition & 1 deletion lib/quo_vadis/controller.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -190,7 +190,7 @@ def lifetime_expires_at(browser_session)
def logout
session&.destroy
clear_session_id
reset_session
prevent_rails_session_fixation
controller.instance_variable_set :@authenticated_model, nil
end

Expand Down
1 change: 1 addition & 0 deletions test/dummy/app/controllers/articles_controller.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ def index
end

def secret
session[:foo] = 'bar'
end

def also_secret
Expand Down
16 changes: 16 additions & 0 deletions test/integration/sessions_test.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,22 @@ class SessionsTest < IntegrationTest
end


test 'non-authentication session data is not removed on logout' do
desktop = login
session_id = desktop.session.id

desktop.get secret_articles_path
assert_equal 'bar', desktop.session[:foo]

desktop.delete quo_vadis.logout_path
refute desktop.controller.logged_in?

desktop.get articles_path
assert_equal 'bar', desktop.session[:foo]
refute_equal session_id, desktop.session.id
end


private

# starts a new rails session and logs in
Expand Down

0 comments on commit 2e25c29

Please sign in to comment.