I want to create an endpoint that will invalidate user session.
I understand that devise has destroy_user_session
route that will destroy the user session. But how can I do that for a specific user from an admin point of view? Where does devise store session data?
CodePudding user response:
Where does devise store session data?
Devise will use the session store that your Rails app is configured to use. The key used is determined by what you pass to devise_for
in your config/routes.rb
file - which is known as the Devise mapping. See Devise::Controller::Rememberable.
The default session storage in Rails has been ActionDispatch::CookieStore since at least Rails 4 so the session is actually "stored" by passing an encrypted cookie back and forth between the client and server. This is far more performant then the alternatives.
Thus you can't actually "invalidate" or destroy other users sessions while using the cookie store beacuse its not something you actually control. You can simply invalidate all the users cookies by changing the application secret which will cause Rails to reject any existing session storage cookies and issue new ones.
If you want to be able to implement such a feature you need to change the session storage backend into server side storage such as Redis or ActiveRecord which will actually let you find a session for a specific user and delete it. Before doing so you should read up as much as possible about how sessions work in Rails and the basics of how Devise together with Warden handles user authentication as you'll need a solid grasp of that to implement the feature. The performance implications should also be considered as it will impact your entire application.