I am working on a legacy Rails 3.2 app and would like to log everybody out and have their _app_session be reset with the secure flag set to true. It seems like either changing our session_store strategy to secure: true or config.force_ssl = true. Strangely only the latter seems to work correctly in Chrome.
The question is that it seems like the best way to log everyone one would be to remove their session variable and I tried this solution here https://stackoverflow.com/a/11422931/152825 of:
rake tmp:sessions:clear
but it didn't seem to work. Is there a better way to clear these session variables?
As far as your sessions are not really saved on backend you can not just delete them. But you can invalidate by changing the secret_key_base.
Rails uses that long random key to encrypt the session cookies. Once it will change - all the old sessions will no longer be valid, because rails will not be able to decrypt them.