Have you ever thought of kicking a specific logged in user out of their session (for some weird reason).
If you are using devise for authentication then the short answer is no/yes. Read through the rest of the the post for explanation or scroll to the last for a hacky way.
I tried many ways to hack around to fool devise into thinking that the user session is expired but no luck. The user session cannot be accessed by other users (like from the rails console or database level).
The closest i thought I came is to trick the Timeoutable hook. But it depends on last_request_at which is taken from the user session. I tried messing with db fields like
current_sign_in_at, last_sign_in_at but realized that devise does not look at these fields once the user logs in.
Over all, the conclusion is that we can’t mess around with Devise which does its job well.
Note: You can still clear all the sessions for all the users using the following ways, depending on where you stored the session :
- Cookie Store (default) :
Fleet::Application.config.session_store :cookie_store, key: _change_me_session.
When you change the key the old sessions expire.
- Redis as session store: redis-cli flushall or delete sessions using a wildcard if we know part of the key
- Database: If the sessions are stored in the database
Update: Hacky way: After all this efforts I found out that we don’t even need to break our head to crack
devise. Just change the `password` of the `user` from rails console and that will log him out. I called it a hacky way as the user can not login again with previous password (can revert it back to normal after logout though).