Merge pull request #1436 from basecamp/fix-cookie-clash-with-old-path-scoped-session-token

Delete scoped session tokens when encountered
This commit is contained in:
Stanko Krtalić
2025-10-31 19:14:03 +01:00
committed by GitHub
2 changed files with 8 additions and 1 deletions
@@ -4,6 +4,7 @@ module Authentication
included do
# Checking for tenant must happen first so we redirect before trying to access the db.
before_action :require_tenant
prepend_before_action :clear_old_scoped_session_cookies
before_action :require_authentication
helper_method :authenticated?
@@ -51,6 +52,12 @@ module Authentication
end
end
def clear_old_scoped_session_cookies
if request.script_name.present? && cookies.signed[:session_token].present? && !find_session_by_cookie
cookies.signed[:session_token] = { value: "invalid-session-token", path: request.script_name, expires: 1.hour.ago }
end
end
def find_session_by_cookie
Session.find_signed(cookies.signed[:session_token])
end
+1 -1
View File
@@ -17,7 +17,7 @@ class Membership < UntenantedRecord
def account_name
ApplicationRecord.with_tenant(tenant) { Account.sole.name }
rescue ActiveRecord::Tenanted::TenantDoesNotExistError
rescue ActiveRecord::Tenanted::TenantDoesNotExistError, ActiveRecord::RecordNotFound
nil
end