Rails 3 with Authlogic and calling reset_session

Question

The RoR Security Guide states that you should "issue a new session identifier and declare the old one invalid after a successful login" using the reset_session method to counter session fixation.

I haven't been able to find any guidance on calling reset_session when using Authlogic. Is it simply a case of including the method in the controller method (as below)?

I'm just concerned about causing problems for Authlogic as I can see both user_credentials and user_credentials_id keys and values in the session hash prior to calling reset_session.

class UserSessionsController < ApplicationController

  def create
    @user_session = current_client.user_sessions.new(params[:user_session])
    if @user_session.save
      reset_session
      flash[:success] = I18n.t(:msg_login_success)
      redirect_back_or_default application_root_path
    else
      render :action => :new
    end
  end

Answer 1

For reference this is my current method:

def create
  @user_session = current_client.user_sessions.new(params[:user_session])

  if @user_session.save
    # reset session to counter session fixation
    # whilst retaining values except for those that the application has created specific to the current user
    temp_session = session.merge("current_user" => {}).clone
    reset_session
    session.reverse_merge!(temp_session)
    # set flash msg and redirect
    flash[:success] = I18n.t(:msg_login_success)
    redirect_back_or_default application_root_path
  else
    render :action => :new
  end
end

With the call to reset_session still performed after a successful login as per the recommendation in http://guides.rubyonrails.org/security.html#session-fixation-countermeasures

Answer 2

yeah, resetting the session AFTER you log the user in (which is what looks like happening?) is definitely not right. You want to do it BEFORE you log the user in.

Ideally you'd want to do it before you log the user in but only if the login is actually going to be succesful -- but I'm not sure if you can get auth_logic to do that, I'm not very experienced with auth_logic, although it's a REALLY good question for auth_logic, if I were you I'd file it as a support ticket with auth_logic.

But in the meantime, you might want to just try putting the reset_session at the top of the action method, before @user_session = current_client.user_sessions.new(params[:user_session]). I think this will work, and at worse reset the session in some cases where you really didn't have to (if the user's credentials were invalid), but I don't think that will cause a serious problem. (uh-oh, unless it causes you to lose your validation errors?)

But again, not an auth_logic expert here. I don't expect you to accept this answer since I don't have the expertise to really answer it, just sharing what I think in case it helps you and gives you some pointers as to how to think about it.