On Oct 19, 3:17 pm, Avik <avik...@gmail.com> wrote: > > According to the code for 2.2.2 (and also the current version), the > token is not inherently "user-specific"; it may remain the same even > when other session fields change. Thus, the app _must_ use > reset_session when a different user logs in to force a different token > to be computed. (In particular, just clearing out the relevant fields, > e.g., session[:user_id], is not enough, since session[:_csrf_token] or > session[:csrf_id] remains set.) Otherwise, we may get the following > scenario, for example. >
Ah, with you know - thought you were saying that two completely unrelated sessions might end up with the same auth token. Fred --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk@googlegroups.com To unsubscribe from this group, send email to rubyonrails-talk+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
