Skip to content
This repository

token authentication does not log out existing user #1644

ericmnel opened this Issue · 6 comments

6 participants

Eric Nelson José Valim Sean Rucker Douwe Maan Davide Cenzi robotfelix
Eric Nelson

If you are authenticated as user A on a web browser session, and then click a token authentication link for user B, it keeps you logged in as user A.

In order to get the token authentication link to work you have to be logged out manually, it does not automatically log out user A and log in user B.

José Valim

Yes, the token authentication does not even get to be validated if the user is already signed in. If this is the scenario you want, you should probably create your own authentication entry point or manage the token by yourself.

Eric Nelson

This is how I dealt with it, in case anybody else needs to have a token authentication that will log out existing users
before logging in with the token:

def token_login
token = params[:token]

  if token == nil
     ERROR_LOG.create "Missing parameter \'token\'"
     redirect_to root_path
     when current_login == nil
        INFO_LOG.create "Token login without current login"
     when current_login.authentication_token == token
        INFO_LOG.create "Token login, already logged in"
        redirect_to root_path
        INFO_LOG.create "Token login, signing out current login #{}"
        sign_out current_login

     redirect_to "#{root_path(:auth_token => token)}"


Sean Rucker

I had the same need as @ericmnel and solved it by adding a before_filter to the application controller:

def sign_out_if_token_present
  if params[:auth_token].present? and (params[:auth_token] != current_user.authentication_token)
    sign_out current_user
Douwe Maan

Thanks @seanrucker!

Davide Cenzi

Thank you! I was having the same problem :+1:


Simple and effective solution - thanks @seanrucker!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.