Delete server-side session on logout

rosa · claude · rosa · commit dde94b06ed65 · 2026-01-16T09:31:22.000+01:00
When it's set. Also, store it in current attributes for convenience.

Co-Authored-By: Claude Opus 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/app/controllers/concerns/authentication.rb b/app/controllers/concerns/authentication.rb
@@ -67,17 +67,27 @@ def resume_session(session)
       authenticated_as session
     end
 
+    def terminate_current_session
+      Current.session&.destroy!
+      reset_session
+      remove_authentication_cookie
+    end
+
     def authenticated_as(session)
-      Current.user = session.user
+      Current.session = session
       set_authenticated_by(:session)
-      cookies.signed.permanent[:session_token] = { value: session.token, httponly: true, same_site: :lax }
+      set_authentication_cookie(session)
     end
 
     def post_authenticating_url
       session.delete(:return_to_after_authenticating) || root_url
     end
 
-    def reset_authentication
+    def set_authentication_cookie(session)
+      cookies.signed.permanent[:session_token] = { value: session.token, httponly: true, same_site: :lax }
+    end
+
+    def remove_authentication_cookie
       cookies.delete(:session_token)
     end
 
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
@@ -18,7 +18,7 @@ def create
 
   def destroy
     remove_push_subscription
-    reset_authentication
+    terminate_current_session
     redirect_to root_url
   end
 
diff --git a/app/models/current.rb b/app/models/current.rb
@@ -1,8 +1,16 @@
 class Current < ActiveSupport::CurrentAttributes
-  attribute :user, :request
+  attribute :session, :user, :request
 
   delegate :host, :protocol, to: :request, prefix: true, allow_nil: true
 
+  def session=(value)
+    super(value)
+
+    if value.present?
+      self.user = session.user
+    end
+  end
+
   def account
     Account.first
   end
diff --git a/test/controllers/sessions_controller_test.rb b/test/controllers/sessions_controller_test.rb
@@ -28,7 +28,9 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest
   end
 
   test "create with valid credentials" do
-    post session_url, params: { email_address: "david@37signals.com", password: "secret123456" }
+    assert_difference -> { Session.count }, +1 do
+      post session_url, params: { email_address: "david@37signals.com", password: "secret123456" }
+    end
 
     assert_redirected_to root_url
     assert parsed_cookies.signed[:session_token]
@@ -43,11 +45,15 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest
 
   test "destroy" do
     sign_in :david
+    session = users(:david).sessions.last
 
-    delete session_url
+    assert_difference -> { Session.count }, -1 do
+      delete session_url
+    end
 
     assert_redirected_to root_url
     assert_not cookies[:session_token].present?
+    assert_nil Session.find_by(id: session.id)
   end
 
   test "destroy removes the push subscription for the device" do
