I have the restful_authentication plugin installed in a rails app, with a sessions_controller that has a destroy method like this:
def destroy
self.current_user.forget_me if logged_in?
cookies.delete :auth_token
reset_session
flash[:notice] = "You have been logged out."
redirect_back_or_default('/')
end
In the application controller I have:
before_filter :login_required
And In the sessions_controller I have:
skip_before_filter :login_required
My problem is that when a user authenticates with http basic authentication, he/she is not logged out. the session is destroyed, but the user is able to navigate to restricted pages with no problem. This problem does not occur with session authentication through the plugin. How can I make this method get rid of the basic authenication?
I've found a quite interesting way to overcome this by using a session variable to remember which user has logged out. The idea is that even though the browser's still sending authentication data, we're just ignoring it, because the user chose to log out. Whenever a new login request is sent to the browser, all the authentication data is erased, so the user is able to log back in any time.
Then, on the events controller I do:
And finally my session controller looks like this:
And don't forget your routes!
This only works for IE 6 SP1+:
http://msdn.microsoft.com/en-us/library/ms536979(VS.85).aspx
Note that this will clear the cache for all sites the user is currently logged into (within the same IE instance).
Hmm, it sounds like the client browser is just caching the HTTP Basic Auth credentials and re-sending them every time. In which case you have no control over that. The actions that you wish to be protected need to be protected with the proper before_filter for the restful_authentication plugin, which should be
So in your controller you would have
HTTP Authentication is stateless - that is, the server does not keep track of an authenticated "session" - thus, the client must supply it each time (hence the frequent checkbox 'store these credentials'), thus there is no way for the server to clear the client credentials. This is part of the spec. See the Wikipedia entry
http://en.wikipedia.org/wiki/Basic_access_authentication
Specifically, look at the "Disadvantages" section.
I know, little bit after party, but If you want to logout you can render 401.
so logout method could looks like this:
your restful action could looks like this:
and browser will raise http basic authentication again
I just updated login_from_basic_auth in authenticated_sytem to read:
Nothing can be done server-side to "logout" a user in this situation. When the user logs in through basic authentication, the browser stores the authentication information, and sends the authentication parameters through the http headers with every request. if the user logs in with basic auth, he/she will have to close his/her browser window to logout.