Handle sessions created before active_sessions feature was enabled du…

…ring logout (Fixes #224)

CHANGELOG

@@ -1,5 +1,7 @@
 === master
 
+* Handle sessions created before active_sessions feature was enabled during logout (jeremyevans) (#224)
+
 * Add reset_password_notify for emailing users after successful password resets (jeremyevans)
 
 * An email method can now be used in external features to DRY up email creation code (jeremyevans)

lib/rodauth/features/active_sessions.rb

@@ -81,7 +81,9 @@ def handle_duplicate_active_session_id(_e)
     end
 
     def remove_current_session
-      active_sessions_ds.where(active_sessions_session_id_column=>compute_hmac(session[session_id_session_key])).delete
+      if session_id = session[session_id_session_key]
+        active_sessions_ds.where(active_sessions_session_id_column=>compute_hmac(session_id)).delete
+      end
     end
 
     def remove_all_active_sessions

spec/active_sessions_spec.rb

@@ -306,6 +306,25 @@
     end
   end
 
+  it "should handle cases where active session id is not set during logout, to handle cases where active_sessions was added after session creation" do
+    rodauth do
+      enable :login, :active_sessions
+      hmac_secret '123'
+    end
+    roda do |r|
+      r.rodauth
+      rodauth.check_active_session
+      r.get('remove_session_id'){session.delete(rodauth.session_id_session_key); r.redirect '/logout'}
+      r.root{view :content=>rodauth.logged_in? ? "Logged In" : "Not Logged"}
+    end
+
+    login
+
+    visit '/remove_session_id'
+    click_button 'Logout'
+    page.title.must_equal 'Login'
+  end
+
   it "should limit accounts to a single logged in session when using jwt" do
     rodauth do
       enable :login, :active_sessions