Contents

# After each sign in, update unique_session_id.
# This is only triggered when the user is explicitly set (with set_user)
# and on authentication. Retrieving the user from session (:fetch) does
# not trigger it.
Warden::Manager.after_set_user :except => :fetch do |record, warden, options|
  if record.respond_to?(:update_unique_session_id!) && warden.authenticated?(options[:scope])
    unique_session_id = Devise.friendly_token
    warden.session(options[:scope])['unique_session_id'] = unique_session_id
    record.update_unique_session_id!(unique_session_id)
  end
end

# Each time a record is fetched from session we check if a new session from another
# browser was opened for the record or not, based on a unique session identifier.
# If so, the old account is logged out and redirected to the sign in page on the next request.
Warden::Manager.after_set_user :only => :fetch do |record, warden, options|
  scope = options[:scope]
  env   = warden.request.env

  if record.respond_to?(:unique_session_id) && warden.authenticated?(scope) && options[:store] != false
    if record.unique_session_id != warden.session(scope)['unique_session_id'] && !env['devise.skip_session_limitable']
      warden.raw_session.clear
      warden.logout(scope)
      throw :warden, :scope => scope, :message => :session_limited
    end
  end
end

Version data entries

3 entries across 3 versions & 2 rubygems

Version	Path
devise-security-0.11.1	lib/devise-security/hooks/session_limitable.rb
devise-security-0.11.0	lib/devise-security/hooks/session_limitable.rb
devise_security_extension-0.10.0	lib/devise_security_extension/hooks/session_limitable.rb