Destroying Session when browser closed - Ruby on Rails - ruby-on-rails

I have sign_in page using remember me checkbox.
Remember Me - obviously to remember session forever (with 20 years expiration) unless you will click the log-out button.
The problem is, I can't sign in if I didn't check the remember me.
SessionController:
def create
user = User.find_by(email: params[:email].downcase)
if user && user.authenticate(params[:password])
if params[:remember_me]
sign_in user
redirect_to root_url
else
User.find_by_id(session[:remember_token])
session[:remember_token] = user.id
redirect_to root_url
end
else
flash.now[:danger] = 'Invalid email/password combination'
render 'new'
end
end
SessionHelper
def sign_in(user)
remember_token = User.new_remember_token
cookies.permanent[:remember_token] = remember_token
user.update_attribute(:remember_token, User.encrypt(remember_token))
self.current_user = user
end
def signed_in?
!current_user.nil?
end
def current_user=(user)
#current_user = user
end
def current_user
remember_token = User.encrypt(cookies[:remember_token])
#current_user ||= User.find_by(remember_token: remember_token)
end
def sign_out
self.current_user = nil
cookies.delete(:remember_token)
end

In your create method, you didn't actually mark the user as logged in when the user didn't check the remember me box. It only stores user.id in session[:remember_token].
if user && user.authenticate(params[:password]) # valid email & password
if params[:remember_me] # remember me
sign_in user
redirect_to root_url
else # do not remember me
#User.find_by_id(session[:remember_token]) # this line did nothing
session[:remember_token] = user.id # store user.id in session
redirect_to root_url
end
else
...
end
Your current_user doesn't check user.id in session, but only checks cookies or manual assignment of current_user.
I would rewrite current user like this:
def current_user
if #current_user
#current_user
elsif session[:remember_token]
#current_user ||= User.find_by_id(session[:remember_token])
elsif cookies[:remember_token]
remember_token = User.encrypt(cookies[:remember_token])
#current_user ||= User.find_by(remember_token: remember_token)
else
nil
end
end
BTW. The title is irrelevant with the problem defined in the body.

Related

What's the impact of sequence between cookies and session when implementing "current_user"?

I am learning how to build a simple authentication function with session and cookies.
I have a User model, then sessions_controller. I also create remember_token column for users table to handle the "remember_me" situation.
This is the relevant code:
sessions_controller
def create
user = User.find_by_email(params[:email])
if user && user.authenticate(params[:password])
session[:user_id] = user.id
if params[:remember_me]
user.generate_token(:remember_token)
cookies.permanent[:remember_token] = user.remember_token
end
redirect_to root_url
flash[:notice] = "Logged in."
else
render "new"
flash[:notice] = "Invaid email or password."
end
end
user.rb
has_secure_password
def generate_token(column)
self[column] = SecureRandom.urlsafe_base64
self.save
end
application_controller
helper_method :current_user
def current_user
if session[:user_id]
#current_user ||= User.find(session[:user_id])
elsif cookies[:remember_token]
#current_user ||= User.find(cookies[:remember_token])
end
end
The code above seems to be working. But at first I actually reversed the code's sequence in :current_user, like this:
def current_user
if cookies[:remember_token]
#current_user ||= User.find(cookies[:remember_token])
elsif session[:user_id]
#current_user ||= User.find(session[:user_id])
end
end
This will raise an exception: "Couldn't find User with 'id'= some_token_here"
In this case, why I can't use the cookies[:remember_token] to find the user firstly. Does the sequence matter? Or, if I had some misunderstanding about how session and cookies work?
That is because if you use find, it finds a record by its database id.
What you want is to find by the remember_token column, so User.find_by(remember_token: cookies[:remember_token])
def current_user
if cookies[:remember_token]
#current_user ||= User.find_by(remember_token: cookies[:remember_token])
elsif session[:user_id]
#current_user ||= User.find(session[:user_id])
end
end
From Rails Guide
Using the find method, you can retrieve the object corresponding to the specified primary key that matches any supplied options.
For example:
# Find the client with primary key (id) 10.
client = Client.find(10)
# => #<Client id: 10, first_name: "Ryan">
User.find(session[:user_id]) returns all users that has matching primary_key
In your second case: "User.find(cookies[:remember_token])", you should
search from "remember_token" column.

undefined method `update_attribute' for nil:NilClass

I am able to create users and sign in, however when I sign out I receive the following (although the session does appear to end):
NoMethodError at /signout
undefined method `update_attribute' for nil:NilClass
This is on the sign_out method in the SessionsHelper, where current_user.update_attribute(...)
Does this mean that current_user is nil? What can I do to fix, this. I'm very new to RoR, thanks.
Here's my SessionsHelper
module SessionsHelper
def sign_in(user)
remember_token = User.new_remember_token
cookies.permanent[:remember_token] = remember_token
user.update_attribute(:remember_token, User.encrypt(remember_token))
self.current_user = user
end
def signed_in?
!current_user.nil?
end
def current_user=(user)
#current_user = user
end
def current_user
remember_token = User.encrypt(cookies[:remember_token])
#current_user ||= User.find_by(remember_token: remember_token)
end
def sign_out
current_user.update_attribute(:remember_token, User.encrypt(User.new_remember_token))
#current_user.update_attribute(:remember_token, User.new_remember_token)
cookies.delete(:remember_token)
self.current_user = nil
end
end
Here's my SessionsController
class SessionsController < ApplicationController
def new
end
def create
user = User.find_by(email: params[:session][:email].downcase)
if user && user.authenticate(params[:session][:password])
sign_in user
redirect_to user
else
flash.now[:error] = 'Invalid email/password combination' #not quite right
render 'new'
end
end
def destroy
sign_out
redirect_to 'signin'
end
end
it would be nice if you told us what the exact circumstances are that you got this error.
it's quite possible you're going to the sign-out page when you're not actually currently signed-in.
In which case - why don't you add "if signed_in?" to your action eg:
def sign_out
return unless signed_in? # you are already signed out
current_user.update_attribute(:remember_token, User.encrypt(User.new_remember_token))
cookies.delete(:remember_token)
self.current_user = nil
end
def destroy
sign_out if signed_in?
redirect_to 'signin'
end
Alternatively - do you have skip_before_action authenticate_user or similar for sign_out?
Again - to sign out, you have to be signed-in... so you can't skip the authentication action for sign-out.

Rails Sign_in(user) not working - remember_token

I'm trying to allow my users to sign in and I have narrowed my problem to one method.
in session_helper.rb
def sign_in(user)
remember_token = User.new_remember_token
cookies.permanent[:remember_token] = remember_token
user.update_attribute(:remember_token, User.encrypt(remember_token))
self.current_user = user
end
def signed_in?
!current_user.nil?
end
How do I check what my current column structure is in my database and make fix this issue?
If a user signs in, it gives a positive flash response.
sessions_controller.rb
def new
end
def create
user = User.find_by_email(params[:session][:email])
if user && user.authenticate(params[:session][:password])
sign_in user
flash[:success] = 'Signed in'
redirect_to user
else
flash.now[:error] = 'Invalid email/password combination'
render 'new'
end
end
but it still returns signed_in? as false.
Any ideas?

NoMethodError in SessionsController#create (undefined method `current_user) Hartl Chapter 9

When i sign into the sample app i've made from Hartl's rail tutorial at the end of Chapter 9 i get this error. I've searched high and low but can't figure out what's probably very obvious.
NoMethodError in SessionsController#create
undefined method `current_user=' for #session....
The errors occur in these 2 files, code below
app/helpers/sessions_helper.rb:7:in sign_in'
app/controllers/sessions_controller.rb:9:increate'
app/helpers/sessions_helper
module SessionsHelper
def sign_in(user)
remember_token = User.new_remember_token
cookies.permanent[:remember_token] = remember_token
user.update_attribute(:remember_token, User.encrypt(remember_token))
self.current_user = user
end
def signed_in?
!current_user.nil?
end
def current_user
remember_token = User.encrypt(cookies[:remember_token])
#current_user ||= User.find_by(remember_token: remember_token)
end
def current_user?(user)
user == current_user
end
def sign_out
self.current_user = nil
cookies.delete(:remember_token)
end
def redirect_back_or(default)
redirect_to(session[:return_to] || default)
session.delete(:return_to)
end
def store_location
session[:return_to] = request.url if request.get?
end
end
app/controllers/sessions_controller
class SessionsController < ApplicationController
def new
end
def create
user = User.find_by(email: params[:session][:email].downcase)
if user && user.authenticate(params[:session][:password])
sign_in user
redirect_back_or user
else
flash.now[:error] = 'Invalid email/password combination'
render 'new'
end
end
def destroy
sign_out
redirect_to root_url
end
end
Take a look at listing 8.20 on http://ruby.railstutorial.org/chapters/sign-in-sign-out. It looks like you missed the step of defining the current_user= method
def current_user=(user)
#current_user = user
end

ruby on rails - sessions

I'm following this tutorial: http://ruby.railstutorial.org/
I have a problem with my sessions. Every time I login to my application, I get no session but get redirected to my user page. And create/register users works, too.
sessions_helper.rb
module SessionsHelper
def sign_in(user)
cookies.permanent[:remember_token] = user.remember_token
#current_user = user
#self.current_user = user
end
def signed_in?
#current_user != nil
#!#current_user.nil?
end
def current_user
#current_user ||= User.find_by_remember_token(cookies[:remember_token])
##current_user ||= User.find_by_remember_token(cookies[:remember_token])
end
def current_user?(user)
#current_user = user
end
def sign_out
self.current_user = nil
cookies.delete(:remember_token)
end
def store_location
session[:return_to] = request.url
end
end
session_controller.rb
class SessionsController < ApplicationController
def new
#title = "| Signin"
end
def create
user = User.find_by_email(params[:session][:email].downcase)
if user && user.authenticate(params[:session][:password])
sign_in user
redirect_to user
else
#Fehlermeldung anzeigen falls login nicht erfolgreich war
flash.now[:error] = "Invalid email/password combination"
render 'new'
end
end
def destroy
sign_out
redirect_to root_url
end
end
I see at least one mistake:
def current_user?(user)
#current_user = user
end
Should be
def current_user?(user)
#current_user == user
end
==, not =, because you should check that current_user equals some other user, not make an assignment.

Resources