Method: Authentication::Logic::ControllerAdapters::AbstractAdapter#renew_session_id

Defined in:
lib/auth/logic/controller_adapters/abstract_adapter.rb

#renew_session_idObject

Inform Rack that we would like a new session ID to be assigned. Changes the ID, but not the contents of the session.

The :renew option is read by rack/session/abstract/id.rb.

This is how Devise (via warden) implements defense against Session Fixation. Our implementation is copied directly from the warden gem (set_user in warden/proxy.rb)



57
58
59
60
61
62
63
64
65
66
67
 
# File 'lib/auth/logic/controller_adapters/abstract_adapter.rb', line 57

def renew_session_id
  env = request.env
  options = env[ENV_SESSION_OPTIONS]
  return unless options

  if options.frozen?
    env[ENV_SESSION_OPTIONS] = options.merge(renew: true).freeze
  else
    options[:renew] = true
  end
end