Session timeout module does not logout user

[PedroAugustoRamalhoDuarte]

I have configured sorcery to include session time out module, but when the sorcery try to reset_sessions in validate_session method in controller/submodules/session_timeout.rb the user is not logged out.
Here my config:

config/sorcery.rb

  Rails.application.config.sorcery.submodules = [:remember_me, :reset_password, :user_activation, :session_timeout]

  # -- session timeout --
  # How long in seconds to keep the session alive.
  # Default: `3600`
  #
  config.session_timeout = 5 # five second for tests

  # Use the last action as the beginning of session timeout.
  # Default: `false`
  #
  config.session_timeout_from_last_action = false

  # Invalidate active sessions. Requires an `invalidate_sessions_before` timestamp column
  # Default: `false`
  #
  config.session_timeout_invalidate_active_sessions_enabled = true

migrate

class AddInvalidateSessionToUser < ActiveRecord::Migration[6.1]
  def change
    add_column :users, :invalidate_sessions_before, :datetime
  end
end

Configuration

• Sorcery Version: 0.16.1
• Ruby Version: 2.7.2
• Framework: Rails 6.1.4.4
• Platform: Linux

Expected Behavior

After 5 seconds of login the session is invalid

Actual Behavior

The user can still authenticate in platform

Steps to Reproduce

Just login and wait for 5 seconds, and does not works

Debug

When i add logout line in sorcery code, its works

if (session_to_use && sorcery_session_expired?(session_to_use.to_time)) || sorcery_session_invalidated?
  reset_sorcery_session
  remove_instance_variable :@current_user if defined? @current_user
  logout
else

[joshbuker]

@PedroAugustoRamalhoDuarte there isn't enough information for me to tell what's going wrong. Can you please create a minimal app to reproduce this issue? The first thing that comes to mind is that sessions are failing to invalidate entirely. Have you tried setting a session variable, resetting the session, and checking that the variable was cleared? e.g.

session[:testing] = 'some value'
reset_session
byebug

$ session[:testing]
=> nil

[PedroAugustoRamalhoDuarte]

@athix thanks for the response, i will try to create a minimal app to reproduce this bug, maybe is the remember_me module in conflict with session_timeout module

[PedroAugustoRamalhoDuarte]

@athix here is the repo (https://github.com/PedroAugustoRamalhoDuarte/sorcery-session-timeout), to reproduce the bug:

• Create a user
• Login with user (with remember_me on)
• Stay 5 second in show user page and the it should loggout the user, but it doesn't

I guess session_timeout destroy the session, but remeber_me creates a new session, maybe the fixes is add a forget_me! at session_timeout validate_session method

[PedroAugustoRamalhoDuarte]

I add forget_me! method to controller/submodules/session_timeout and works.

def validate_session
  session_to_use = Config.session_timeout_from_last_action ? session[:last_action_time] : session[:login_time]
  if (session_to_use && sorcery_session_expired?(session_to_use.to_time)) || sorcery_session_invalidated?
    forget_me!
    reset_sorcery_session
    remove_instance_variable :@current_user if defined? @current_user
  else
    session[:last_action_time] = Time.now.in_time_zone
  end
end

[PedroAugustoRamalhoDuarte]

I will create a pull request