[ACCEPTED]-Command to clear the cookie-based session store in Rails-cookies

Accepted answer
Score: 29

If you use Cookie based sessions

You can change the secret_token of your 4 rails app. This will invalidate all existing 3 sessions.

rake secret

Then copy the value in to

RAILS_ROOT/config/initializers/session_store.rb

Thats 2 it. Remember to restart your app after this 1 ;)

If you use database based sessions

rake db:sessions:clear

If you use file based sessions

rake tmp:sessions:clear
Score: 9

Change the name of the session cookie. It 2 won't delete the old cookies, but it'll 1 force everyone to get a new session cookie.

Score: 8

The problem is that cookies are client side. Running 9 a rake task on your server won't delete 8 cookies on all the machines that have visited 7 the web page, obviously.

Perhaps you can 6 use session.clear in your controllers somehow? You're 5 right about changing the cookie key, though. Doing 4 so would invalidate any session belonging 3 to the old key. You would have to rescue 2 from ActionController::StaleSession (or something like that), but it'd 1 work.

Score: 3

It occurs to me now that what I want may 15 not be possible depending on how the cookie-based 14 store is implemented. If the cookies contain 13 all the information the server needs (including 12 a signature for data integrity) then the 11 server does not need to store any information 10 on its side therefore there is no way to 9 invalidate existing cookies. I had assumed 8 the cookie contained some key that corresponded 7 to data on the server-side in order to verify 6 that the cookie is valid, but now I realize 5 this may not be the case.

If this is true, then 4 the only way to clear cookies would be to 3 change the server-side cookie secret used 2 for signing and then presumably restart 1 the server process.

Score: 1

If you are running this on a production 7 server I recommend:

rake secret

Which is simply generating 6 a random secure token. The rake task is 5 basically doing this, which you could do 4 in a console.

SecureRandom.hex(64)

Never check the production 3 key into version control / GIT but use an 2 environment variable instead. So in your 1 config/secrets.yml file use something like:

production:
  secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>

More Related questions