From a3fcabe397d1d42f1ea5eecb1ec1cc3e367a9a58 Mon Sep 17 00:00:00 2001
From: Zeke Gabrielse <ezekg@yahoo.com>
Date: Thu, 18 Jul 2024 22:18:39 -0500
Subject: [PATCH] add comment on session nonce

---
 app/controllers/concerns/authentication.rb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/app/controllers/concerns/authentication.rb b/app/controllers/concerns/authentication.rb
index 26604faea8..bce3a24ec9 100644
--- a/app/controllers/concerns/authentication.rb
+++ b/app/controllers/concerns/authentication.rb
@@ -124,6 +124,8 @@ def http_session_authenticator(session)
     user = current_account.users.for_environment(current_environment, strict: current_environment.nil?)
                                 .find_by(id: session[:user_id])
 
+    # Currently we only allow 1 session per-user, meaning if the session
+    # nonce doesn't match then the current session is outdated.
     unless user.present? && user.account_id == session[:account_id] &&
                             user.session_nonce == session[:nonce]
       session.destroy # clear cookie