Reset session on log(in|out)

[wvengen]

In #57 (comment) it came up that we should probably reset the session after logout and after login.

https://www.owasp.org/index.php/Broken_Authentication_and_Session_Management
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04e-Testing-Authentication-and-Session-Management.md#session-management-best-practices
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04e-Testing-Authentication-and-Session-Management.md#user-logout-and-session-timeouts
https://wblinks.com/notes/secure-session-management-tips/

I would come to the conclusion that both are desirable.

[wvengen]

Do the maintainers agree? Then I'll submit a PR.

[jvdp]

@wvengen only 4 years late with my reply ;)

As you may have seen this gem is deprecated. Do you still use it?

[wvengen]

Hah, thanks for replying :)

Yes, we are still using it, moving to a different admin framework was a big undertaking (our efforts in this direction are stalled), and we kind of decided to keep using this gem. Our expectations of upstream support have dropped to basically zero, indeed.

[jvdp]

We could see if we can transfer ownership or something, though it might actually be simpler to just vendor the gem in your project(s.) I have one project left that uses this and I'm thinking of doing that too.

[wvengen]

We are using it in two projects (core only), so we'll maintain core anyway, to the extent necessary for ourselves.
I would be open to keep an eye on this project, as long we are using it.

[jvdp]

@wvengen what's your rubygems handle? You should also be getting the commit bit soon.

[wvengen]

Thank you! :) https://rubygems.org/profiles/wvengen