---
title: Ensure Logout Session Invalidation
impact: MEDIUM
impactDescription: prevents session reuse after user logout
tags: security, session, authentication, logout
---

## Ensure Logout Session Invalidation

When a user logs out, ensure the session is completely destroyed on the server side.

**Incorrect (partial logout):**

```ruby
def logout
  session[:user_id] = nil
  redirect_to root_path
end
```

**Correct (full invalidation):**

```ruby
def logout
  reset_session # Destroys the entire session
  redirect_to root_path
end
```

**Tools:** Manual Review, Devise default
---