Rails: Kick a logged in user(devise) out of his session

Have you ever thought of kicking a specific logged in user out of their session (for some weird reason).

If you are using devise for authentication then the short answer is you can’t.

I tried many ways to hack around to fool devise into thinking that the user session is expired but no luck. The user session cannot be accessed by other users (like from the rails console or database level).

The closest i thought I came is to trick the Timeoutable  hook. But it depends on last_request_at which is taken from the user session.  I tried messing with db fields like

current_sign_in_at, last_sign_in_at but realized that devise does not look at these fields once the user logs in.

Over all, the conclusion is that we can’t mess around with Devise which does its job well.

Note: You can still clear all the sessions for all the users using the following ways, depending on where you stored the session :

  1. Cookie Store (default) :

    Fleet::Application.config.session_store :cookie_store, key: _change_me_session.

    When you change the key the old sessions expire.

  2. Redis as session store: redis-cli flushall or delete sessions using a wildcard if we know part of the key $redis.del $redis.keys('session*').
  3. Database: If the sessions are stored in the database rake db:sessions:clear.

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.