I use cookies to manage user sessions in my Rails app. I recently found that when a user changes the password, the cookie does not get invalidated as expected. As you realize, this could be a great threat to security. How should I handle this problem? I want to expire or invalidate a cookie once the user changes the password. How do I do this in Rails. Thanks.
+1
A:
Destroy the session as you would on a logout; and ask the user to log back in.
http://api.rubyonrails.org/classes/ActionController/Base.html#M000474
DRL
2010-07-06 23:49:39
This will not prevent an attacker who has gained access to an user's cookie and is still logged in from another computer. Even if the user changes his password, the attacker will still be logged in due to the old cookie.
Swamy g
2010-07-07 00:00:26
You shouldnt be relying simply on cookies; each session should have a server side session token which can be destroyed/reset rendering the clients cookie useless.
DRL
2010-07-07 00:06:02