My team has developed an app using RoR. We're using devise gem for authorization. The problem is that the user session remains https even after a user signs out. This is causing some problems with varnish.
Could someone please point out how can I change it so that the session is http instead of https after logging out.
Thanks
Related
I'm working on a rails web app (not originally written by me). Devise is used for authentication. It works fine in the development environment. In production however, users can log in successfully, but on subsequent GET requests, they are no longer logged in and current_user is nil.
I'm not even sure how to debug this because it seems like all of the devise functionality is behind the scenes. Any suggestions as to what could cause this and what I can check?
The application was configured to require https and logged users out if they connected with http.
I'm building an iOS app with Rails on the back-end.
The Rails application uses Devise for authentication and I want to use the same service for the authentication on the iOS app. Is there any way that after authenticating, keeping the session even after the app restarts, so that it goes straight to the content of the app instead of the login screen?
I've looked around, but haven't found a clear answer.
Thanks on advance!
One solution could be to extend the existing devise models and controllers to also handle a token based authentication system. Based on the request type html or json, the app can choose to authenticate a user either by the authentication token and email or a combination of username/email and password.
The authentication token could could be saved on the client side and reset only when the user logs out.
I was recently working on the same problem and found these sources to be extremely useful.
https://gist.github.com/josevalim/fb706b1e933ef01e4fb6
http://www.soryy.com/blog/2014/apis-with-devise/
https://github.com/lynndylanhurley/devise_token_auth
So here's the scenario:
User can login normally through devise login. Once logged in, the user dashboard has embedded flash which makes calls to api on same server (both at localhost:3000 currently).
Calls to API are made with a supplied auth_token, using devise's token_authenticatable.
Here's there the problem occurs.
Once an API request is made, the logged in user is logged out.
I've done a lot of digging around but haven't found any solid leads on how I might solve this.
I believe the problem is because the call to the API is overwriting the user's cookie which was set by the browser. I tested this by watching auth cookie being set and being overwritten once the API is called.
FYI I'm developing in Chrome.
Any help is greatly appreciated. If I haven't gone into enough details please let me know if I can provide any other information that might help you diagnose the issue.
Thanks a lot
I think the problem is that you are not posting the CSRF token to your server. CSRF protection is on by default on all Rails application. You can bypass it by adding following line to your controller.
skip_before_filter :verify_authenticity_token
I am making a Rails site that lets people sign in, only using Omniauth authentication with Facebook. No passwords are entered into my site. Is it still beneficial to have SSL on my site? Or does the Facebook authentication route pretty much take care of that? I know SSL is required for Facebook apps/sites that appear in FB, and that is NOT my case.
I know it will work, just like I can have a login screen with email/password without SSL. It will work, but it's not exactly secure. I'm looking for a recommendation... if I don't have SSL on my site, what info is passed that would not be secure? And is that info worth having my own SSL certificate to hide it from anyone watching?
Partial answer: It will work fine without SSL even if your app user has secure browsing enabled.
its an ipage, when browsed via HTTPS it displays an error
Ok this is something weird. I got authlogic-oid installed in my rails app today. Everything works perfectly fine but for one small nuisance.
This is what i did:
I first register with my google openid. Successful login, redirection and my email, along with my correct openid is stored in my database. I am happy that everything worked fine!
Now when i logout, my rails app as usual destroys the session and redirects me back to my root url where i can login again. Now if i try to login it still remembers my last login id. Not a big issue as i can always "Sign in as a different user" but i am wondering if there is anyway to not only logout from my app but also logout from google.
I noticed the same with stack overflow's openid authentication system.
Why am i so bothered about this, you may ask. But is it not a bad idea if your web apps end user, who happens to be in a cyber cafe, thinks he has logged out from your app and hence from his google account only to realize later that his google account had got hacked by some unworthy loser who just happened to notice that the one before him had not logged out from google and say.. changed his password!!
Should i be paranoid? Isn't this a major security lapse while implementing the openid spec? Probably today someone can give me a workaround for this issue and the question is solved for me. But what about the others who have implemented openid in their apps and not implemented a workaround?
If this is such a big issue to you, do not use OpenID, or display a DHTML popup after a successful log out reminding the users that their session is still valid on their OpenID provider.
As for Google's OpenID, what you can probably do is redirect users through the following URL after
http://www.google.com/accounts/ClearSID?continue=http%3A%2F%2Fwww.google.com%2Faccounts%2FLogout%3Fcontinue%3Dhttp%3A%2F%2Fwww.google.com%2F
Afaik, there is no way you can log the user out of their account in another system. Your app is supposed to be responsible only for it's own business. As a user, I'd be very surprised if a website using openid could log me out of my google account.
Yes, there is a scenario that a user can assume that they are logged out of google because they logged out on your site but that would (and should) be their own fault.