UserSession 真实性令牌正在不同用户之间共享
UserSession authenticity token is being shared across different users
我正在使用 rails 4.0.3 和 passenger and authlogic 来构建网络应用程序,并且 运行 在用户登录时遇到问题,但使用的是以前的用户真实性创建新的 UserSession 时的令牌。关于 session 有没有人经历过这样的事情?这导致用户 2 在用户 1 的 session 下登录并具有不正确的访问权限。
用户 1 登录请求:
I, [2017-12-14T15:08:11.566277 #25162] INFO -- : Started POST "/login" for 172.68.xxx.xxx at 2017-12-14 15:08:11 +0000
I, [2017-12-14T15:08:11.567479 #25162] INFO -- : Processing by UserSessionsController#create as HTML
I, [2017-12-14T15:08:11.567545 #25162] INFO -- : Parameters: {"utf8"=>"✓", "authenticity_token"=>"4FgeuK825Mw4wfKvnHv1CXg3t5sNV1P621fdsgXzplE=", "user_session"=>{"email"=>"user1@gmail.com", "password"=>"[FILTERED]"}, "commit"=>"Sign In"}
用户登录请求2:
I, [2017-12-14T15:08:49.905291 #25162] INFO -- : Started POST "/login" for 172.68.xxx.xxx at 2017-12-14 15:08:49 +0000
I, [2017-12-14T15:08:49.906435 #25162] INFO -- : Processing by UserSessionsController#create as HTML
I, [2017-12-14T15:08:49.906494 #25162] INFO -- : Parameters: {"utf8"=>"✓", "authenticity_token"=>"4FgeuK825Mw4wfKvnHv1CXg3t5sNV1P621fdsgXzplE=", "user_session"=>{"email"=>"user2@gmail.com", "password"=>"[FILTERED]"}, "commit"=>"Sign In"}
尝试覆盖 ActionController::Base#handle_unverified_request 以确保销毁它。
class ApplicationController < ActionController::Base
helper_method :current_user_session, :current_user
private
def current_user_session
return @current_user_session if defined?(@current_user_session)
@current_user_session = UserSession.find
end
def current_user
return @current_user if defined?(@current_user)
@current_user = current_user_session && current_user_session.user
end
protected
def handle_unverified_request
# destroy session, redirect
if current_user_session
current_user_session.destroy
end
redirect_to root_url
end
end
我正在使用 rails 4.0.3 和 passenger and authlogic 来构建网络应用程序,并且 运行 在用户登录时遇到问题,但使用的是以前的用户真实性创建新的 UserSession 时的令牌。关于 session 有没有人经历过这样的事情?这导致用户 2 在用户 1 的 session 下登录并具有不正确的访问权限。
用户 1 登录请求:
I, [2017-12-14T15:08:11.566277 #25162] INFO -- : Started POST "/login" for 172.68.xxx.xxx at 2017-12-14 15:08:11 +0000
I, [2017-12-14T15:08:11.567479 #25162] INFO -- : Processing by UserSessionsController#create as HTML
I, [2017-12-14T15:08:11.567545 #25162] INFO -- : Parameters: {"utf8"=>"✓", "authenticity_token"=>"4FgeuK825Mw4wfKvnHv1CXg3t5sNV1P621fdsgXzplE=", "user_session"=>{"email"=>"user1@gmail.com", "password"=>"[FILTERED]"}, "commit"=>"Sign In"}
用户登录请求2:
I, [2017-12-14T15:08:49.905291 #25162] INFO -- : Started POST "/login" for 172.68.xxx.xxx at 2017-12-14 15:08:49 +0000
I, [2017-12-14T15:08:49.906435 #25162] INFO -- : Processing by UserSessionsController#create as HTML
I, [2017-12-14T15:08:49.906494 #25162] INFO -- : Parameters: {"utf8"=>"✓", "authenticity_token"=>"4FgeuK825Mw4wfKvnHv1CXg3t5sNV1P621fdsgXzplE=", "user_session"=>{"email"=>"user2@gmail.com", "password"=>"[FILTERED]"}, "commit"=>"Sign In"}
尝试覆盖 ActionController::Base#handle_unverified_request 以确保销毁它。
class ApplicationController < ActionController::Base
helper_method :current_user_session, :current_user
private
def current_user_session
return @current_user_session if defined?(@current_user_session)
@current_user_session = UserSession.find
end
def current_user
return @current_user if defined?(@current_user)
@current_user = current_user_session && current_user_session.user
end
protected
def handle_unverified_request
# destroy session, redirect
if current_user_session
current_user_session.destroy
end
redirect_to root_url
end
end