Should auto_login resets and restores session?

[yuh-pen]

Hi,

Looks like login method resets and restores session. But auto_login method doesn't.
I think auto_login method should too. Hou about? 👀

Ruby On Rails Security Guide

The most effective countermeasure is to issue a new session identifier and declare the old one invalid after a successful login. That way, an attacker cannot use the fixed session identifier. This is a good countermeasure against session hijacking, as well. Here is how to create a new session in Rails: reset_session

If you use the popular RestfulAuthentication plugin for user management, add reset_session to the SessionsController#create action. Note that this removes any value from the session, you have to transfer them to the new session.

sorcery/lib/sorcery/controller.rb

Lines 116 to 119 in 4485701

	def auto_login(user, _should_remember = false)
	session[:user_id] = user.id.to_s
	@current_user = user
	end

sorcery/lib/sorcery/controller.rb

Lines 37 to 64 in 4485701

	def login(*credentials)
	@current_user = nil
	user_class.authenticate(*credentials) do |user, failure_reason|
	if failure_reason
	after_failed_login!(credentials)
	yield(user, failure_reason) if block_given?
	# FIXME: Does using `break` or `return nil` change functionality?
	# rubocop:disable Lint/NonLocalExitFromIterator
	return
	# rubocop:enable Lint/NonLocalExitFromIterator
	end
	old_session = session.dup.to_hash
	reset_sorcery_session
	old_session.each_pair do |k, v|
	session[k.to_sym] = v
	end
	form_authenticity_token
	auto_login(user, credentials[2])
	after_login!(user, credentials)
	block_given? ? yield(current_user, nil) : current_user
	end
	end