I know this sounds like a very simple task to do, but since I just spent half an hour reading up on how Sessions in Rails work I decided it's time to put this up so I can Google it again next time :)
First off, you need to know how you are storing sessions in your application.
Rails supports 3 types of session storage: Stored on Disk, in the Database or through Cookies in the client. You can check which one you are using in
Cookie based session storage
Rails 3 defaults to storing the session in the client using a session cookie. This means that the user_id along with all the data you put into the
hash is serialized into the cookie and sent to the client.
It's also not encrypted, only BASE64 encoded so if you are storing anything sensitive in there you are doing it wrong.
But for simple things like the current
user_id the cookie based session store is just fine and also a lot faster than the alternatives.
Expiring the cookie though is a bit more involved since you can't reach out to all clients and delete their cookies at once. But, and that's the important part for what I was doing: This cookie is signed with a SHA-512 digest using a secret key that is only present on the server. So the cookie cannot be tampered with on the client, and this is also your avenue of attack when trying to expire all cookies:
Simply change the secret that is used to sign the cookies. All previous cookies are invalidated as their digest is no longer valid.
Doing so is simple, first generate a new secret using rake:
$ rake secret
Then copy/paste that new secret into your
MyApp::Application.config.secret_token = '10dfec4781b682762a731a5e88...'
Once done deploy the application and all existing sessions are invalid at once.
Database backed session storage
If you are using the Database to store the session it's rather trivial to expire all existing sessions using rake:
File based session storage
Like with the database simply run the following rake command:
Hope this helps..