我正在使用带有passenger和authlogic的rails 4.0.3来构建Web应用程序,并在用户登录时遇到问题,但在创建时使用以前的用户身份验证令牌新的UserSession。有没有人在会议上经历过这样的事情?这导致用户2在用户1的会话下登录并具有不正确的访问权限。
用户1登录请求:
I, [2017-12-14T15:08:11.566277 #25162] INFO -- : Started POST "/login" for 172.68.xxx.xxx at 2017-12-14 15:08:11 +0000
I, [2017-12-14T15:08:11.567479 #25162] INFO -- : Processing by UserSessionsController#create as HTML
I, [2017-12-14T15:08:11.567545 #25162] INFO -- : Parameters: {"utf8"=>"✓", "authenticity_token"=>"4FgeuK825Mw4wfKvnHv1CXg3t5sNV1P621fdsgXzplE=", "user_session"=>{"email"=>"user1@gmail.com", "password"=>"[FILTERED]"}, "commit"=>"Sign In"}
用户登录请求2:
I, [2017-12-14T15:08:49.905291 #25162] INFO -- : Started POST "/login" for 172.68.xxx.xxx at 2017-12-14 15:08:49 +0000
I, [2017-12-14T15:08:49.906435 #25162] INFO -- : Processing by UserSessionsController#create as HTML
I, [2017-12-14T15:08:49.906494 #25162] INFO -- : Parameters: {"utf8"=>"✓", "authenticity_token"=>"4FgeuK825Mw4wfKvnHv1CXg3t5sNV1P621fdsgXzplE=", "user_session"=>{"email"=>"user2@gmail.com", "password"=>"[FILTERED]"}, "commit"=>"Sign In"}
答案 0 :(得分:1)
尝试覆盖ActionController :: Base#handle_unverified_request以确保销毁它。
class ApplicationController < ActionController::Base
helper_method :current_user_session, :current_user
private
def current_user_session
return @current_user_session if defined?(@current_user_session)
@current_user_session = UserSession.find
end
def current_user
return @current_user if defined?(@current_user)
@current_user = current_user_session && current_user_session.user
end
protected
def handle_unverified_request
# destroy session, redirect
if current_user_session
current_user_session.destroy
end
redirect_to root_url
end
end