add comment on session nonce

keygen-sh · Jul 19, 2024 · b6c4bbf · b6c4bbf
1 parent 6524642
commit b6c4bbf
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/app/controllers/concerns/authentication.rb b/app/controllers/concerns/authentication.rb
@@ -124,6 +124,8 @@ def http_session_authenticator(session)
     user = current_account.users.for_environment(current_environment, strict: current_environment.nil?)
                                 .find_by(id: session[:user_id])
 
+    # Currently we only allow 1 session per-user, meaning if the session
+    # nonce doesn't match, then the current session is expired.
     unless user.present? && user.account_id == session[:account_id] &&
                             user.session_nonce == session[:nonce]
       session.destroy # clear cookie