Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Only skip session timeout check for create and destroy. #2269

wants to merge 1 commit into


None yet
3 participants

drewish commented Feb 8, 2013

My understanding of the code is that when a user hits the login page with an expired session, they get redirected to signed_in_root_path where the expired session is detected, causing them to be redirected back to the login page. It seems like it would be more efficent to just check the expiration in the first place and avoid the redirect cycle.

We discovered this on a site where we're using devise to authenticate users as part of an an OAuth flow. We discovered that if the user had logged in, waited for the session to expire, and then specifically loaded the sign in page (hitting Devise::SessionsController#new), they'd be redirected right through into the OAuth flow without being timed out. We tracked it down to the fact that we'd overridden after_sign_in_path_for to send them off to the right callback URL. In that case,
request.env["devise.skip_timeout"] is true, the require_no_authentication filter redirects them through the OAuth flow, and the session never expires.

We'd worked around it by just removing the filter e.g. _process_action_callbacks.reject! {|cb| cb.raw_filter.is_a?(Proc) } which seemed a little more hacky than it needed to be since the filter was a proc rather than a symbol.


josevalim commented Feb 8, 2013

@drewish thanks for the PR. Unfortunately it causes the build to fail and it does not have any tests. Could you please take a look? Thanks.


drewish commented Feb 11, 2013

Ah yeah I had some trouble getting the tests running the first time. I was able to get them running over the weekend and see failed test you pointed out. I'll spend some more time on this today and update the commit.


drewish commented Feb 12, 2013

I made a couple changes to this and added a new test but now the 'time out is not triggered on sign in' test is failing. I'm not quite sure why that is.

I notice that if I keep the change to SessionsController (only skipping timeout for create and destroy) and revert the change to the timeoutable hook, i.e. allow last_request_at to be updated, all tests pass, including the new test, "expired session is not extended by sign in page".

I pushed the change described above to a branch at teleological/devise@41fdc49, leaving @drewish as the author. Not setting devise.skip_timeout for sessions#new is sufficient: When a user with an expired session requests sessions#new, the timed-out session is detected and invalidated and control never reaches the part that would update last_request_at.


josevalim commented Nov 6, 2013

Merged the important bits, thank you!

@josevalim josevalim closed this Nov 6, 2013

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment