Best security practices with regard to clearing model data between logins


#1

Hey,

What the best practices with regard to handling multiple users on the same machine? Is it simply a case of clearing the model data on logout using

this.store.unloadAll();

The obvious issue here is that the user might not actually logout, they might just leave their machine, so it’s probably better to do this on login, before anything is fetched from the store.

There are actually a couple of suggestions in this Ember Igniter post:

A quick search will return many different workarounds, like iterating over the defined models and unloading by type, resetting the app with App.reset() or going nuclear and destroying the whole store.

So I’d be interested to hear the steps other people are taking here as it’s an important point.


#2

We use ember-simple-auth. It takes the nuclear option by refreshing the browser. IIRC, it also unloads the store.


Computed property recalculating on store.unloadAll()
#3

Interesting. I’m actually using ember-simple-auth and was surprised that it wasn’t taking care of this. I must not be using it correctly.


#4

In our logout flow, we call the session service’s “invalidate()” method. I may not be spot on with the name. I’ll confirm when I get back to my 'puter.


#5

Sorry, I was completely under the influence of sniffing glue. We are initializing an object in an instance-initializer, hooking the session.invalidationSucceeded event, and calling window.relocation.reload() there. I believe we got the notion from reading the source code comments of the ember-simple-auth ApplicationRouteMixin. According to the api docs, if you use the app route mixin, it will do that, too. But I don’t see evidence of it in the source.


#6

Um, I can confirm that ember-simple-auth will refresh the entire page on logout. Not the nicest solution but works!