The SessionsController#destroy action uses logout_killing_session! to log the user out. This effectively does 2 things:
1) set the session's user_id to nil
2) reset the session, which generates a new session id
The problem is that the changes made in step (1) are never persisted to the database. This allows anyone with access to the previous session id to access restricted pages without supplying any credentials.
I am not sure of the proper patch here, as Rails's middleware-based session handling loads and persists the session at a different layer. So it's awkward to "flush" the session to the database from inside the request cycle.
My workaround was a bit of a hack -- I just delete the session since I don't care about keeping it around:
ActiveRecord::SessionStore::Session.delete_all :session_id => request.session_options[:id]
Here is a blueprint of a test to replicate the behavior:
test "invalidates sessions after user has logged out" do
user = Factory(:user)
post_via_redirect create_session_url, :email => user.email, :password => user.password
session_id_before_logout = cookies[SESSION_ID_COOKIE_KEY]
open_session do |attacker_session|
attacker_session.cookies[SESSION_ID_COOKIE_KEY] = session_id_before_logout