From b6c4bbfd2a2328416512adce23d676ff0e6a4a7e Mon Sep 17 00:00:00 2001
From: Zeke Gabrielse <ezekg@yahoo.com>
Date: Thu, 18 Jul 2024 22:18:39 -0500
Subject: [PATCH] add comment on session nonce

---
 app/controllers/concerns/authentication.rb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/app/controllers/concerns/authentication.rb b/app/controllers/concerns/authentication.rb
index 26604faea8..6f1fa0feec 100644
--- a/app/controllers/concerns/authentication.rb
+++ b/app/controllers/concerns/authentication.rb
@@ -124,6 +124,8 @@ def http_session_authenticator(session)
     user = current_account.users.for_environment(current_environment, strict: current_environment.nil?)
                                 .find_by(id: session[:user_id])
 
+    # Currently we only allow 1 session per-user, meaning if the session
+    # nonce doesn't match, then the current session is expired.
     unless user.present? && user.account_id == session[:account_id] &&
                             user.session_nonce == session[:nonce]
       session.destroy # clear cookie