0

I have an ExtJS6 app as frontend and rails at backend. Using devise for authentication. sessions#destroy looks like

    def destroy
      cookies.delete :auth_token
      reset_session
      sign_out(:user)
      render json: { success: true, message: 'Successfully logged out' }
    end

it does logs user out (seemingly) but refreshing page logs previous user in

It seems like cookies are not getting reset

ducktyped
  • 4,354
  • 4
  • 26
  • 38
  • As a minor point - it's a bad security practice to rely on deleting the cookie to sign people out. A bad agent could refuse to delete a cookie on the client side. Instead, on the server side, you should be ensuring that the cookie is no longer accepted as an authentication token. This would solve your problem. – Robert Watkins Nov 15 '16 at 20:34

1 Answers1

0

Take a look at these two issues:

  1. https://github.com/lynndylanhurley/devise_token_auth/issues/486

  2. https://github.com/lynndylanhurley/devise_token_auth/issues/375

They explain why deleting your session may not be persisting. You'll need to override your sessions controller. Full explanation there.

toddmetheny
  • 4,405
  • 1
  • 22
  • 39
  • that's not the only possible problem. That's just the context they were experiencing the problem in. the `CSRF token` is a possible problem. – toddmetheny Nov 15 '16 at 14:26