Automatic entry with rails?

Question

Automatic entry with rails?

I'm trying to get a simple authentication system with the Restails-Authentication Rails plugin, and I'm just wondering how this works, b / c. I can’t understand what the cookie requirements are and how to make the browser always remember you (for 6 months).

A few questions:

1) How do you remember_me for ruby restful_authentication? It seems I can not find a good one-liner to solve this problem ...

If the user subscribes and checks "Remember Me", how does the rails application receive a session / cookie, if the user does nothing, and goes to the page the next time you go to the page, say, after 3 months?

2) Do I need to send some information to the server, for example, their IP address or something else? What are cookies[:auth_token] , where is it defined?

Purpose: I do not want them to enter their email address / password again, for example, how StackOverflow works :)

+4

authentication ruby-on-rails cookies remember-me

Lance pollard Nov 17 '09 at 2:02

source share

3 answers

I'm honestly not sure about this particular implementation. But the usual RESTful authentication method is to pass a hashed version of the user / password with each request as a header. Alternatively, you can use the hashed cookie value as a header.

I also saw hybrid systems that include both. You go through the session, if you know, in addition to the user / pass. Then on the server side, if the session is valid, it uses this and can cache the session -> user relationships for performance. If the session is invalid, it attempts to authenticate using the user / password.

In this type of system, you must pass the response response session as a header.

Of course, this is just a summary of how the system works, not how the ruby library is.

0

Bryan mclemore Nov 17 '09 at 2:20

source share

Here you can find a whole tutorial on secure authentication. http://railsforum.com/viewtopic.php?id=14216&p=13

0

dombesz Dec 18 '09 at 13:19

source share

Ben wiseley · Accepted Answer · 2009-11-24T00:25:13+0000

Here we do (mostly taken from an authenticated system) ... this is the controller method that processes the login that we run ...

 def login if logged_in? flash[:notice] = "You are already logged in." redirect_to "/" and return end unless request.post? render :layout => 'task' and return end self.current_user = User.authenticate(params[:login], params[:password]) if logged_in? if params[:remember_me].to_i == 1 self.current_user.remember_me cookies[:auth_token] = {:domain => "#{DOMAIN}", :value => self.current_user.remember_token , :expires => self.current_user.remember_token_expires_at } else self.current_user.forget_me cookies.delete(:auth_token, :domain => "#{DOMAIN}") cookies[:auth_token] = nil end current_user.last_seen_at = Time.now current_user.save session[:notice] = "You logged in successfully" flash[:notice] = "You logged in successfully" redirect_back_or_default(:controller => 'dashboard') and return #redirect_back_or_default(:controller => 'index', :action => 'index') and return else if $failed_login_counter.add_attempt(params[:login]) > MAXIMUM_LOGIN_ATTEMPTS logger.info("login rate limiter kicking in, #{MAXIMUM_LOGIN_ATTEMPTS} login attempts failed") redirect_to "/denied.html" and return end flash[:error] = "Unable to authenticate username and password" render(:layout => 'task') and return end end

And use this to exit

 def logout current_user.last_seen_at = Time.now current_user.save self.current_user.forget_me if logged_in? cookies.delete(:auth_token, :domain => "#{DOMAIN}") reset_session flash[:notice] = "You have been logged out." #redirect_to :back redirect_back_or_default(:controller => 'index', :action => 'index') and return end

Then, in your application.rb application, you need something like:

 before_filter :login_from_cookie def login_from_cookie return unless cookies[:auth_token] && !logged_in? user = User.find_by_remember_token(cookies[:auth_token]) if user && user.remember_token? user.remember_me self.current_user = user cookies[:auth_token] = { :domain => "#{DOMAIN}", :value => self.current_user.remember_token , :expires => self.current_user.remember_token_expires_at } flash[:notice] = "#{self.current_user.login}, you have logged in successfully" end end

And - in your user model there are several ways:

 # Encrypts some data with the salt. def self.encrypt(password, salt) Digest::SHA1.hexdigest("--#{salt}--#{password}--") end # Encrypts the password with the user salt def encrypt(password) self.class.encrypt(password, salt) end def remember_token? remember_token_expires_at && Time.now.utc < remember_token_expires_at end # These create and unset the fields required for remembering users between browser closes def remember_me self.remember_token_expires_at = 2.weeks.from_now.utc self.remember_token = encrypt("#{email}--#{remember_token_expires_at}") save(false) end def forget_me self.remember_token_expires_at = nil self.remember_token = nil save(false) end

Automatic entry with rails?

More articles: