在我的注销操作中,我正在这样做:
reset_session
cookies.delete(:rememberme)
redirect_to root_url
但是会话没有被破坏。
当我检查标头时,发送到我的注销操作的请求明确包含会话 ID:
Cookie: hiddenalerts=site_vrfy_124258; __utmz=REMOVED_INFO.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); elpriv=REMOVED_INFO; SESSID=b39a9a89bb6a39ea91b620fe0da392ed; __utma=REMOVED_INFO; __utmc=REMOVED_INFO; __utmb=REMOVED_INFO
但响应仅清除 Rememberme cookie,而不会清除会话 cookie:
Set-Cookie: rememberme=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT
如果我在注释掉时将其与相同的标头进行比较请记住删除cookie。请求看起来相同:
Cookie: hiddenalerts=site_vrfy_124258; __utmz=REMOVED_INFO.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); elpriv=REMOVED_INFO; SESSID=b39a9a89bb6a39ea91b620fe0da392ed; __utma=REMOVED_INFO; __utmc=REMOVED_INFO; __utmb=REMOVED_INFO
但响应看起来更像我所期望的(并且我的会话被正确销毁):
Set-Cookie: SESSID=50640523cf32b5b0fe8c93eb16aba6dc; path=/; HttpOnly
还有其他人经历过这种情况吗?我只能假设会话处理程序和 ApplicationController 不保存对 cookie 的相同引用,因此,如果您修改控制器中的 cookie,则会破坏 reset_session 所做的任何操作。我可以通过手动删除会话 cookie 来解决这个问题,但我想首先了解发生了什么以及是否有已知的解决方法。
,我需要能够在注销过程中清除“记住我”cookie,否则用户将立即重新登录。
显然 问题作为错误提出。我现在会解决这个问题。 https://rails.lighthouseapp.com/projects/8994-ruby-on-rails/tickets/6763-deleting-a-cookie-and-calling-reset_session-in-the-same-controller-操作不发送新会话 cookie
In my logout action I'm doing this:
reset_session
cookies.delete(:rememberme)
redirect_to root_url
But the session is not being destroyed.
When I inspect the headers, the request sent to my logout action clearly includes the session ID:
Cookie: hiddenalerts=site_vrfy_124258; __utmz=REMOVED_INFO.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); elpriv=REMOVED_INFO; SESSID=b39a9a89bb6a39ea91b620fe0da392ed; __utma=REMOVED_INFO; __utmc=REMOVED_INFO; __utmb=REMOVED_INFO
But the response only clears the rememberme cookie, it doesn't clear the session cookie:
Set-Cookie: rememberme=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT
If I compare this with the same headers when I comment out the rememberme cookie deletion. The request looks the same:
Cookie: hiddenalerts=site_vrfy_124258; __utmz=REMOVED_INFO.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); elpriv=REMOVED_INFO; SESSID=b39a9a89bb6a39ea91b620fe0da392ed; __utma=REMOVED_INFO; __utmc=REMOVED_INFO; __utmb=REMOVED_INFO
But the response looks more like I'd expect (and my session is correctly destroyed):
Set-Cookie: SESSID=50640523cf32b5b0fe8c93eb16aba6dc; path=/; HttpOnly
Has anyone else experienced this? I can only assume that the session handler and the ApplicationController don't hold the same reference to the cookies, so if you modify the cookies in the controller this clobbers anything that reset_session has done. I can work around this problem by manually deleting the session cookie, but I'd like to understand what's happening and if there's a known workaround first.
Obviously I need the ability to clear a "remember me" cookie during the logout process, otherwise the user will simply be immediately logged back in.
EDIT | Issue raised as a bug. I'll work around it for now. https://rails.lighthouseapp.com/projects/8994-ruby-on-rails/tickets/6763-deleting-a-cookie-and-calling-reset_session-in-the-same-controller-action-does-not-send-new-session-cookie
发布评论
评论(1)
只是为了确保,但是您是否将此 cookie 分配给了正确的键?饼干[:还记得我]吗?如果未找到您的哈希属性,则不会删除 cookie。
Just to ensure, but are you assigning this cookie to the right key? cookies[:rememberme]? The cookie will not be deleted if it's not finding your hash attr.