I have a cookie which can exist on either of these domains - www.xyz.com or .xyz.com. I am having trouble deleting the cookie through code. Since it can exist on either of domains I was assuming doing the following should be sufficient:
...
cookies.delete cookie #delete cookie if it exists on current domain(www.xyz.com)
cookies.delete cookie, :domain => :all #delete cookie if it exists on root (.xyz.com)
...
But cookies.delete cookie, :domain => :all seems to be rendering the first call useless as if the cookie is set on www.xyz.com then it doesn't get deleted.
Any ideas on how to delete a cookie that might exist on two different domains?
Well, Rails doesn't allow to delete cookie with the same name twice during one request, although they have been set for different domains.
Assuming you are trying to logout, double redirect is the best what I came up with:
def logout
cookie.delete(:user_id)
redirect_to logout_all_path
end
def logout_all
cookie.delete(:user_id, domain: :all)
end
Don't know whether Rails 6 solved this problem, so PR wouldn't hurt.
When deleting cookie cookie.delete(:user_id) is the same as an explicit form cookie.delete(:user_id, domain: nil).
It is not obligatory to specify domain in your code.
I believe you need to be explicit on which domain you're deleting cookies
cookies.delete cookie, :domain => "xyz.com"
From Rails docs, looks like you can set with domain: :all but not delete
Related
I have a weird problem when I try to use door_keeper gem with rails app. The problem occurs when I use Oauth2 gem to get the token. But at the part I have url :
http://0.0.0.0:3000/oauth/authorize?response_type=code&client_id=199f27a02764f1ef1d31c2860b83ef93c0cc3dc26886d2b3d76b8ef1e935f3ae&redirect_uri=http%3A%2F%2F0.0.0.0%3A3000%2Fcallback
it doesn't redirect to the page we authorize and get token but it redirects directly to http://0.0.0.0:3000
what's the problem I have here, it should redirect to application authorize page first, shouldn't it ?
The authorization page requires some user to be logged in. You set up that in the resource_owner_authenticator block and it should look something like this:
resource_owner_authenticator do |routes|
# Put your resource owner authentication logic here.
# If you want to use named routes from your app you need
# to call them on routes object eg.
# routes.new_user_session_path
User.find(session[:user_id]) || routes.new_user_session_path
end
In this case, if the user is not in the session when it tries to access /oauth/authorize, it gets redirected back to new_user_session_path.
Only when the user was found from the session, you'll be able to see the authorization page.
I'm having a problem using a sub url, when I try to access through authentication page, it generates an authentication cookie, but i keep on login screen and if i try access some page it says that i must got logged.
If you mean sub-domain, you have to change, your config/initializer/session_store.rb
And add your subdomain, with a dot before like that :
Rails.application.config.session_store :cookie_store, :key => '_key', :domain => ".yourdomain.com"
I have configured basic authentication (in controller)
above everything in controller file:
before_filter :check_logged_in, :only => [:edit, :update, :destroy]
On the bottom of the file:
private
def check_logged_in
authenticate_or_request_with_http_basic("Ads") do |username, password|
username == "admin" && password == "apple"
end
end
It works like a charm, but there is one thing I don;t understand - when I provide username and password it stays logged in for a long period of time and when I click on 'delete' or 'update' for specific entries I'm not getting prompted again. I thought something went wrong, but when I opened another browser - it prompted me again, but only once, I didn;t have to authenticate for the rest.
Then I thought it was a cookie issue, but nothing changed even though I deleted all the cookies in Chrome. So I got a couple of questions:
Is there any way to say for how long I'm going to be authenticated?
Is there any way to be prompted for authentication everytime I click on the resource mentioned here - :check_logged_in, :only => [:edit, :update, :destroy] ?
HTTP basic authentication doesn´t use cookies. The login information is sent with every HTTP request to the specified web server. You are logged in until you close your web browser or delete all active logins.
I've followed the ascii cast up at http://asciicasts.com/episodes/221-subdomains-in-rails-3
I've set the :domain option to :all in session store:
Rails.application.config.session_store :cookie_store, :key => '_bloggit_session', :domain => :all
Now my users cannot logout.
Any ideas why? I've tried deleting all cookies and then trying again, etc.
I can login, and my session is carried across subdomains, but I can't logout.
I am using rails 3, and authlogic for authentication.
Thanks for any help!
Specify the Domain.
I had the exact same issue and the culprit was using :domain => :all.
You'd think that would be all you need but it seems to cause some problems so I had to manually specify the domain with a preceding dot (.), like so:
:domain => '.lvh.me'
This fixed the issue in development. You can use different ways to set this in your various environments but I landed on something like this:
Rails.application.config.session_store :cookie_store,
:key => '_bloggit_session',
:domain => { production: '.bloggit.com',
staging: '.bloggitstaging.com',
development: '.lvh.me' }.fetch(Rails.env.to_sym)
I'm using Devise and OmniAuth (Facebook) in a Rails 3 app. I just started noticing this behavior recently.
When a user signs in, he is redirected to his dashboard, however, the characters "#_" are being appended to the url. The only thing I can think of now is a conflict between the routes created by:
resources :users
and
# User Authentication
devise_for :users,
:singular => :user,
:controllers => {:registrations => 'registrations'} do
get 'logout' => 'devise/sessions#destroy'
end
Is this only happening with Facebook? If so it is probably related to: https://developers.facebook.com/blog/post/552/. Notice how Facebook outlines that they changed the session redirect handling to append a #_=_ to responses. I'm not sure why this was done, however you may be able to fix it by supplying an explicit redirect url.