views:

255

answers:

2

If a user has cookies disabled in their browser can restful authentication and role requirement still work?

On our site, with cookies disabled, the system won't let you log in. Any way to fix this?

Thanks in advance.

A: 

Yes, and no. The only way to make this work is by adding the session key to your URL. This is a proven security issue, so don't go there!

Ariejan
+1  A: 

You should be able to get the users to log in via HTTP Auth. Using request_http_basic_authentication should make the browser request auth. This is remembered by the browser.

Or better override login_from_basic_auth in authenticated_system.rb:

def login_from_basic_auth
  authenticate_or_request_with_http_basic do |login, password|
    self.current_user = User.authenticate(login, password)
  end
end

This will most likely make all users see the HTTP auth page. You should probably only do this for users known to lack cookie support.

cwninja