Logout & deleting cookies

S-gw · November 3, 2007, 5:55am

The logout strategy on page 172 of AWDWR doesn’t seem to do anything.

I ended up creating the same thing on my own, then looked up how they
did it in the book.

I would expect it to update the session record to clear out the data
column, and I would expect it to delete the cookie from the browser.

It does neither.

My logout button goes to a logout page, then redirects the login page
so that the cookie should be deleted. I know I have gotten that to
work in my other (non-Rails) apps.

Am I missing something?

– gw

S-gw · November 3, 2007, 4:26pm

try something like this
def log_out
reset_session
redirect_to(‘where_ever_you_want’)
end

this will reset the whole session.

S-gw · November 3, 2007, 5:15pm

Have you looked at acts_as_authenticated plugin? You get most of the
functionality you are wanting for free, and extending it is really easy.

-Bill

S-gw · November 3, 2007, 6:35pm

Ah didn’t see that one. Perfect. Thanks.

– gw

S-gw · November 3, 2007, 6:36pm

On Nov 3, 2007, at 9:14 AM, William P. wrote:

Have you looked at acts_as_authenticated plugin? You get most of the
functionality you are wanting for free, and extending it is really
easy.

I had a quick look. I chose to port a user management system I’ve
developed through experience with intranet apps used in corp/gov/edu
systems. I evolved it over several years. I work with some fairly
complex rules systems governing what parts of a program (down to
single buttons) and what data (down to specific fields) that people
can access.

Role based systems are far too inflexible for real-world, multi-
organization, work-group use, so I’ve built up a system which
combines the capabilities of roles, groups, ACL-like privileges, and
data access filters. The filters are used to modify core application
queries to apply additional WHERE clause constraints. The system also
includes modular user profiles so it can manage multiple types of
users (like teachers, parents, students) with a clean schema. The ACL
list rules are defined by a very simple config which can be changed
at any time and the UI adapts on the next page load.

It also has all the usual password management rules you find in corp/
gov so I can:

expire a password after X days
start prompting the user to update a pswd within X days of expiration
maintain a password history so pswds can’t be the same as the last
X ones used
require that pswds be made of up X types of chars or be Y long to
be considred a passphrase
lock an account for X minutes if pswd entered Y times incorrectly

There’s other attributes to the system as well. There’s more info on
my current Lasso implementation here:

http://www.pageblocks.org/ftrs/api_auth

There’s a good chance I’ll share it when I get the port complete.

– greg willits