CODEWITHSUNDEEP
rubyauthenticationldapsinatrasession-cookies
user4219550
user4219550

Reputation: 117

Rack.session cookie not being deleted even after /logout code runs in Sinatra

I've developed a very simple Sinatra authentication system in Ruby that presents a browser form to the user when they put the url for the app into their browser. They then put in their login details and, if these are correct, they are then allowed into a restricted area.

My problem is even if I run this:-

        get '/logout' do

            session[:session_id] = nil
            current_user = false

                File.open(LOG_FILE, "a"){ |f| f.puts "Session closed... #{current_user}" } 


        end

when I do an inspect element using the Chrome browser dev tools, I can still see a rack session cookie. I would expect the cookie to be deleted and it hasn't.The downside to this is now that when i put in the url for the app, I'm no longer presented with the browser form as Sinatra still feels that I'm still logged in.

I have ensured that, for whatever browser I'm using, that usernames and passwords aren't saved but essentially I would like the session to be terminated and cookie deleted when I put the /logout route into my browser.

Can someone please show me what I need to do? I've added the code for the authenticate method and / route.

get '/' do 
            begin

                authenticate


                session[:username] = @auth.credentials[0]

                current_user = session[:username]
                File.open(LOG_FILE, "a"){ |f| f.puts " ***session created #{Time.now} #{current_user}" }

                erb :index
            rescue Exception => err
                File.open(LOG_FILE, "a"){ |f| f.puts " ***Daemon failure #{Time.now} err=#{err} " }
                File.open(LOG_FILE, "a"){ |f| f.puts " ***Daemon failure #{Time.now} err=#{err.backtrace.join("\n")} " }
            end

        end

authenticate.rb

def authenticate return true if authorized? headers['WWW-Authenticate'] = 'Basic realm="Restricted Area"' halt 401, "Not authorized\n" end

def authorized? 
    @auth ||=  Rack::Auth::Basic::Request.new(request.env)
    @auth.provided? and @auth.basic? and @auth.credentials and is_authenticated_by_ldap(@auth.credentials) 
end

def is_authenticated_by_ldap(credentials)

      EXTENSION = @praetor.qube 
      full_username = credentials[0] + EXTENSION

    ldap = Net::LDAP.new  :host => "just-ln1-wdc03.praetor.qube", # your LDAP host name or IP goes here,
                           :port => 389, # your LDAP host port goes here,
                      #:encryption => :simple_tls,
                           :base => "DC=praetor,DC=qube", # the base of your AD tree goes here,
                           :auth => 
                      {
                            :method => :simple,
                            #:username => credentials[0],
                            :username => full_username, # a user w/sufficient privileges to read from AD goes here,
                            :password => credentials[1] # the user's password goes here
                        }   

    is_authorized = ldap.bind


    return is_authorized
end

Upvotes: 2

Views: 989

Answers (1)

probablykabari
probablykabari

Reputation: 1389

session.clear will remove the session vars. You'll still see a session in chrome because it is set by Rack::Session::Cookie middleware after your action has run, but that is just a blank session.

Upvotes: 3

Related Questions