How to logout when using Rake::Auth::Basic in Sinatra

Ruby
1

Hi all,

Sorry for the repost - I think I have the correct forum now!

I’m writting a small app that requires basic authentication in Sinatra.
I followed the advice of the official Sinatra faq
(Sinatra: Frequently Asked Questions) and have implemented this code
with success:

require 'rubygems'
require 'sinatra'

helpers do

  def protected!
    response['WWW-Authenticate'] = %(Basic realm="Testing HTTP Auth")
and \
    throw(:halt, [401, "Not authorized\n"]) and \
    return unless authorized?
  end

  def authorized?
    @auth ||=  Rack::Auth::Basic::Request.new(request.env)
    @auth.provided? && @auth.basic? && @auth.credentials &&
@auth.credentials == ['admin', 'admin']
  end

end

get '/' do
  "Everybody can see this page"
end

get '/protected' do
  protected!
  "Welcome, authenticated client"
end

So I get a window asking me to ender my credentials when going to
/protected and it logs me in. Once logged in though, I would like to be
able to log out. I know the solution to this must be super easy but I
just can’t get it to work.

Any help is greatly appreciated. Thanks!

-Tony

2

On Thu, Aug 6, 2009 at 4:18 AM, Tony T. [email protected] wrote:

So I get a window asking me to ender my credentials when going to
/protected and it logs me in. Once logged in though, I would like to be
able to log out. I know the solution to this must be super easy but I
just can’t get it to work.

Actually, this may be a limitation of HTTP basic authentication - there
is
no way to inform the browser that you wish for its credentials cache to
expire.

I am not certain of this, but I have seen this complaint raised before.
You
might want to follow this up and see if the problem is a general one,
before
banging your head trying to find a Sinatra specific solution.

Richard

3

Correct. HTTP Basic Authentication is done via the browser. The only
real
way to ‘log out’ of HTTP Basic Authentication is to clear ALL of your
authenticated sessions via your browser settings. If you want an
authentication scheme that you can truly log out of, you’ll have to use
something like a session-based scheme.


Bryan