Is it best practice to call reset_session when a user successfully signs in and to call it again when a user signs out? Are there any side effects/problems to doing this?

That's really going to depend on how you store things in session and how you want the security to operate.

Reset session will drop everything from the user's session, so if they hop back into the login screen and sign back in but still had (for example) a shopping cart stored to their session, you'll clear that which may be undesirable.

If you're not storing any data you feel the users might want to hold on to, I know of no reason clearing the session before processing a login attempt would hurt at all, an on sign outs I recommend it.

The Ruby on Rails Security Guide recommends resetting the session id upon successful authentication to protect against session fixation vulnerabilities. Essentially, session fixation involves an attacker setting your session id (or some other method of being able to know what the id is when you hit the login page), and, upon your successful authentication, the attacker sets a cookie for their own browser using your session id and are subsequently authenticated as you. Resetting the session id upon successful authentication completely mitigates such a vulnerability. Some sample code in your create action might look like:

def create
  user =  User.find_by_email(params[:email])
  if user && user.authenticate(params[:password])
    temp_session = session.dup
    reset_session
    session.replace(temp_session)
    session[:athlete_id] = athlete.id
    redirect_to root_url, notice: "Authentication successful!"
  else
    flash.now.alert = "Invalid credentials"
    render "new"
  end
end

Note that it's important to duplicate the session before resetting it if there is any data you wish to preserve.

As far as calling reset_session on logout, yes, this is also best practice as well.

I consider it good practice to reset the session when a user logs in. That way, malicious individuals can't sniff out their session cookie before a client's connection is encrypted and still use it after they use the sign in form over https. Try:

temp = session
reset_session
session.reverse_merge!(temp)

This way, session gets the new values generated by reset_session, but any other session variables remain intact.

A lot of the answers here haven't aged well due to the Rails API changing so I'll just leave one here that works as of Rails 5.0 at least.

As others have noted the Rails Security Guide recommends calling reset_session on login to avoid session fixation attacks.

You may want your session cleared on login but if you just want to change the session id and keep everything else (i.e. no side-effects) you can do it like this:

def mitigate_session_fixation
  old_values = session.to_hash
  reset_session
  session.update old_values.except('session_id')
end