Skip to content

Commit

Permalink
add comment on session nonce
Browse files Browse the repository at this point in the history
  • Loading branch information
ezekg committed Jul 19, 2024
1 parent 6524642 commit a3fcabe
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions app/controllers/concerns/authentication.rb
Original file line number Diff line number Diff line change
Expand Up @@ -124,6 +124,8 @@ def http_session_authenticator(session)
user = current_account.users.for_environment(current_environment, strict: current_environment.nil?)
.find_by(id: session[:user_id])

# Currently we only allow 1 session per-user, meaning if the session
# nonce doesn't match then the current session is outdated.
unless user.present? && user.account_id == session[:account_id] &&
user.session_nonce == session[:nonce]
session.destroy # clear cookie
Expand Down

0 comments on commit a3fcabe

Please sign in to comment.