A Friendlier Login System

“Agile Web D. with Rails” discusses a friendlier login
system. Basically, if a user follows a link on Page A to Page B and
Page B is login-protected, my understanding is that the user would be
diverted to the login page. Upon successfully completing the login
page, the user is automatically sent directly to Page B which was his
original destination.

My question is this: Suppose that Page A were a form which supplied
post data to Page B. Does Rails preserve the form data across the
intervening Login page so that it’s available to Page B? I am very
curious as to how Rails handles this situation.

I fully realize that this hypothetical is very unlikely to arise in
practice and there are many available work-arounds. Putting those
aside, I’m just interested in knowing how Rails handles this
situation.

Thanks for any input.

     ... doug

On Apr 27, 2012, at 12:40 PM, doug wrote:

curious as to how Rails handles this situation.
Not aware of any examples like this. Usually (following the REST
pattern) you would first GET to Page B, then if it needed any data
POSTed to it, it would display a form. Then your POST would also be to
Page B, and the request method would differentiate the two at the
controller/routing level. What usually gets saved in the session is the
URL of the page that’s requesting authentication, and nothing more about
that request.

Walter

Doug J. wrote in post #1058675:

“Agile Web D. with Rails” discusses a friendlier login
system. Basically, if a user follows a link on Page A to Page B and
Page B is login-protected, my understanding is that the user would be
diverted to the login page. Upon successfully completing the login
page, the user is automatically sent directly to Page B which was his
original destination.

My question is this: Suppose that Page A were a form which supplied
post data to Page B. Does Rails preserve the form data across the
intervening Login page so that it’s available to Page B? I am very
curious as to how Rails handles this situation.

You should not think in terms of pages as in traditional web navigation.
Instead think about the routes and controllers. In Rails, a route maps
to a controller action method. The page is subsequently rendered, almost
as a side-effect, of calling the controller action.

To directly answer your question, no Rails will not automatically
preserve the params through the redirect. You would have to do that
yourself.

However, the scenario you presented is itself somewhat broken. You would
not want to protect the action that responds to the form submission
(create or update) without protecting the action used to present the
form (new or edit). Now the redirect to the login page would happen
before the desired destination form is ever presented, effectively
preventing the issue that you’re questioning.

There is a legitimate and common edge case for this. Many sites have a
timeout, so suppose the user is logged in, pulls up a form, then goes
to lunch. After lunch they fill out the form and hit submit. Ideally
they should be asked for a password, then the form should be submitted
seamlessly.

I’d suggest using the Devise gem and not reinventing a login system.