devise: Remember_token always regenerated when user logs in: existing one never kept anymore
In commit https://github.com/plataformatec/devise/commit/c92996646aba2d25b2c3e235fe0c4f1a84b70d24 a change was made that causes remember_tokens to be regenerated without checking whether the old one has expired. This causes a problem when users log in on multiple browsers or devices. Every time they log in, their session on other browsers/devices is invalidated, because a new token is generated.
My project is forced to stick with Devise 3.5.3 because of this breaking change. The fact that the commit I mentioned still contains a TODO is probably indicative of the fact this is a problem to be resolved.
About this issue
- Original URL
- State: closed
- Created 8 years ago
- Comments: 20 (12 by maintainers)
Commits related to this issue
- Fix overwriting the remember_token when a valid one already exists The remember_token should not get overwritten when a user is signing in and a valid token already exists. Fixes #3950. — committed to ralinc/devise by deleted user 8 years ago
- Fix overwriting the remember_token when a valid one already exists (#4101) The remember_token should not get overwritten when a user is signing in and a valid token already exists. Fixes #3950. — committed to heartcombo/devise by deleted user 8 years ago
- Fix overwriting the remember_token when a valid one already exists (#4101) The remember_token should not get overwritten when a user is signing in and a valid token already exists. Fixes #3950. — committed to heartcombo/devise by deleted user 8 years ago
- Fix overwriting the remember_token when a valid one already exists (#4101) The remember_token should not get overwritten when a user is signing in and a valid token already exists. Fixes #3950. — committed to heartcombo/devise by deleted user 8 years ago
- Fix overwriting the remember_token when a valid one already exists (#4101) The remember_token should not get overwritten when a user is signing in and a valid token already exists. Fixes #3950. — committed to heartcombo/devise by deleted user 8 years ago
- Fix bugs in `extend_remember_period` This PR adds better tests for `extend_remember_period` and tries to better document what the feature is supposed to do. Currently it's not very well specified, an... — committed to ghiculescu/devise by ghiculescu 3 years ago
- Fix bugs in `extend_remember_period` This PR adds better tests for `extend_remember_period` and tries to better document what the feature is supposed to do. Currently it's not very well specified, an... — committed to nomis/devise by ghiculescu 3 years ago
@jjoos because you can use the remember token completely without tokens, by relying on the authentication salt