the "remember me" auth_token does not work when there is more than one hobo application running on a server
Reported by Henry Baragar | April 11th, 2010 @ 08:29 PM | in Hobo 1.3 (Rails 3)
I now have several hobo applications (each with its own uat and production environments) all running on a single server, which causes the "remember me" functionality to fail because the auth_token is shared amongst all the applications.
For example,
- I log into application_A on my server with the "remember me"
tick box checked
- I log into application_B on my server with the "remember me" tick box checked
At this point, the auth_token cookie from application_B has overwritten the one from application_A.
I believe that the auth_token cookie name should be created from the session cookie name by replacing the "session" with "auth_token".
For example, if we had a session cookie name of:
- applicationA_session
we should use an auth_token cookie name of:
- application_Aauth_token
Here is a patch to do just that:
--- lib/hobo/authentication_support.rb.orig 2010-03-03 21:49:39.521489182 -0500
+++ lib/hobo/authentication_support.rb 2010-04-11 15:27:27.960313913 -0400
@@ -100,7 +100,7 @@
def authenticated_user_from_cookie
!logged_in? and
- cookie = cookies[:auth_token] and
+ cookie = cookies[auth_token] and
(token, model_name = cookie.split) and
user_model = model_name._?.safe_constantize and
user = user_model.find_by_remember_token(token) and
@@ -109,10 +109,15 @@
end
def create_auth_cookie
- cookies[:auth_token] = { :value => "#{current_user.remember_token} #{current_user.class.name}",
+ cookies[auth_token] = { :value => "#{current_user.remember_token} #{current_user.class.name}",
:expires => current_user.remember_token_expires_at }
end
+ def auth_token
+ session_cookie_key = "" + ActionController::Base.session_options[:key] # Now unfrozen
+ session_cookie_key.sub!(/session/,"auth_token") || session_cookie_key + "_auth_token"
+ end
+
private
@@http_auth_headers = %w(X-HTTP_AUTHORIZATION HTTP_AUTHORIZATION Authorization)
# gets BASIC auth info
Comments and changes to this ticket
-
Matt Jones April 11th, 2010 @ 10:27 PM
Note that this is a design issue inherited from restful_authentication; it could also be regarded as a "feature" in some implementations (multiple apps on the same domain authenticating against a single user database).
Not sure if this is related or not:
http://nessence.net/2009/10/26/restful-authentication-subdomain-fu-...Note that the above link is specifically trying to get the opposite effect, persisting a single :auth_token across multiple subdomains.
-
Bryan Larsen April 12th, 2010 @ 09:14 PM
Matt, are you comfortable with this patch? It doesn't seem unreasonable to me.
-
Matt Jones April 12th, 2010 @ 09:55 PM
It seems fairly reasonable to me, but I'm still not convinced it's a correct solution to Henry's issue. If I'm reading his description correctly, what he's really looking for is the 'Path' attribute for cookies, to segment cookies from http://example.com/app_one/ vs. http://example.com/app_two/. I was shocked to discover there is not (AFAIK) any simple way to do this in Rails - I expected a config option of some sort to set the default :path value for cookies set via
cookie[:foo] = bar
.@Henry: I'm guessing that you're setting
config.action_controller.relative_url_root
for each app? Maybe we could add an option to add a:path
option to the cookie? Or maybe this monkey-patch would help:class ActionController::CookieJar def []=(key, options) if options.is_a?(Hash) options.symbolize_keys! else options = { :value => options } end options[:path] = ActionController::Base.relative_url_root || "/" unless options.has_key?(:path) super(key.to_s, options[:value]) @controller.response.set_cookie(key, options) end # Removes the cookie on the client machine by setting the value to an empty string # and setting its expiration date into the past. Like <tt>[]=</tt>, you can pass in # an options hash to delete cookies with extra data such as a <tt>:path</tt>. def delete(key, options = {}) options.symbolize_keys! options[:path] = ActionController::Base.relative_url_root || "/" unless options.has_key?(:path) value = super(key.to_s) @controller.response.delete_cookie(key, options) value end end
(drop in an initializer; this could be shorter, but alias_method_chaining a []= method is messy. Should work, but not tested.)
In any case, the existing behavior can be useful - several apps mounted on the same host with a common user table would be a standard use case. Whatever resolution we come up with, it should be switchable.
-
Matt Jones September 14th, 2011 @ 10:22 PM
- State changed from new to open
- Milestone set to Hobo 1.3 (Rails 3)
- Milestone order changed from 0 to 0
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป