Previous user picked up with auth_token login in Devise

Here's my scenario.

First, I log in as Alice: http://localhost:3000/?auth_token=eMX开发者_运维百科Bk8cuJMA1ETZfMIgB Then, without logging out, I log in as Bob: http://localhost:3000?auth_token=Z9Ui7Cw_xCnOmGWOEUEH

What happens is, after the second GET request, I'm still logged in as Alice, not Bob. If I do a http://localhost:3000/users/sign_out in between the two auth_token logins, everything's OK. Without the sign_out, Bob can't login using his token.

Is this a bug, or the way things should be due to some security issues I'm ignorant of? Can this behavior be overriden through hooks?

I've run into this with restful_authentication and devise. Here is what I use to handle it (put in application_controller.rb) and call it where needed. Note that I use :ak for the auth token. Change to whatever you're using.

def switch_session(api_key_passed)
  if api_key_passed != current_user.authentication_token
    logger.info("******Switching session as token is different.*******")
    user = User.find_by_authentication_token(api_key_passed)
    sign_out(user)
    if @api_login_enabled.present?
      redirect_to(new_user_session_path(:ak => api_key_passed))
    else
      logger.info("***API Login Setting is Disabled.***")
    end
  end
end

Devise's token_authenticatable strategy is a login path. Sending a User's authentication_token to Devise will log in that user and set a session, just as logging in via the web would. It is not supposed to act as an API Key, which would be required to be sent on every request and knowledge of that request disappears once the server responds.

Take a look at this issue here for more information: https://github.com/plataformatec/devise/issues/300

@jschorr's answer will work if you wish to use it more like an API key, but you should be aware that the original issue will not actually persist the previous user's session between different clients, this is not a security issue of sessions leaking between clients, and this is exactly how the authors of Devise intended. Just as you would need to log out of your Significant Other's webmail account in order to check your own if they just checked their mail from the same computer, you would need to send a logout message to your Rails app before you can switch accounts.

You are missing a setting on devise.rb initializer:

  # By default Devise will store the user in session. You can skip storage for
  # :http_auth and :token_auth by adding those symbols to the array below.
  # Notice that if you are skipping storage for all authentication paths, you
  # may want to disable generating routes to Devise's sessions controller by
  # passing :skip => :sessions to `devise_for` in your config/routes.rb
  config.skip_session_storage = [:token_auth]

So no session is used when a user authenticates with an auth_token.