Update regarding Devise: I’ve learned from José Valim that Devise does implement a mechanism to invalidate previous sessions when a password is changed. When the password is changed, the salt also changes, and sessions with an invalid salt are rejected.This doesn’t solve the issue of “logged out” sessions being reused, but it’s nice to know that Devise deals with the password change issue out of the box.We’ll add a Finally, we need to hook all this up to Devise.
Your only way of locking the thief out would be to change the session secret, thereby invalidating I wanted to implement the latter solution for my company, Loco2, and I was pretty surprised to find very little said about it on the web.The closest thing I could find was this blog post, but it took a of faffing to figure out how to apply that technique to Devise, which is our chosen authentication solution.By default, session data in Rails is stored via a cookie in the user’s browser.It’s a nice, simple storage mechanism, but it means that the server has absolutely no “memory” of a given session.
This can cause security problems for your application. If the thief gets hold of the user’s session cookie, then they can get into the user’s account.
The user might reasonably think that changing their password will solve this, but it won’t: the server has a chronic case of amnesia, and has no idea when a given session cookie was created or who by.