Logout with http basic authentication and restful_authentication plugin

Question

Hi All,

I have the restful_authentication plugin installed in a rails app, with a sessions_controller that has a destroy method like this:

def destroy
  self.current_user.forget_me if logged_in?
  cookies.delete :auth_token
  reset_session
  flash[:notice] = "You have been logged out."
  redirect_back_or_default('/')
end

In the application controller I have:

before_filter :login_required

And In the sessions_controller I have:

skip_before_filter :login_required

My problem is that when a user authenticates with http basic authentication, he/she is not logged out. the session is destroyed, but the user is able to navigate to restricted pages with no problem. This problem does not occur with session authentication through the plugin. How can I make this method get rid of the basic authenication?

Answer 1

Do you have the before_filter set on each of the protected pages like this

Class SomeController < ApplicationController
    before_filter :login_required

   other methods...

end

Or has "a user" saved their login and password in the browser?

Answer 2

Hmm, it sounds like the client browser is just caching the HTTP Basic Auth credentials and re-sending them every time. In which case you have no control over that. The actions that you wish to be protected need to be protected with the proper before_filter for the restful_authentication plugin, which should be

require_authentication

So in your controller you would have

before_filter :require_authentication

HTTP Authentication is stateless - that is, the server does not keep track of an authenticated "session" - thus, the client must supply it each time (hence the frequent checkbox 'store these credentials'), thus there is no way for the server to clear the client credentials. This is part of the spec. See the Wikipedia entry

http://en.wikipedia.org/wiki/Basic_access_authentication

Specifically, look at the "Disadvantages" section.

Answer 3

I just updated login_from_basic_auth in authenticated_sytem to read:

    def login_from_basic_auth
      false
#      authenticate_with_http_basic do |login, password|
#        self.current_user = User.authenticate(login, password)
#      end
    end

Answer 4

Nothing can be done server-side to "logout" a user in this situation. When the user logs in through basic authentication, the browser stores the authentication information, and sends the authentication parameters through the http headers with every request. if the user logs in with basic auth, he/she will have to close his/her browser window to logout.

Answer 5

I've found a quite interesting way to overcome this by using a session variable to remember which user has logged out. The idea is that even though the browser's still sending authentication data, we're just ignoring it, because the user chose to log out. Whenever a new login request is sent to the browser, all the authentication data is erased, so the user is able to log back in any time.

class ApplicationController < ActionController::Base
  # ...

  before_filter :authenticate

  protected

  def authenticate
    authenticate_with_http_basic do |username, password|
      @current_user = User.find_by_name_and_crypted_password(username, User.digest(password))
      @current_user = nil if @current_user && session[:logged_out] == @current_user.id
      !@current_user.nil?
    end
  end

  def authenticate!
    return if @current_user
    session[:authenticate_uri] = request.request_uri
    redirect_to('/login')
  end
end

Then, on the events controller I do:

class EventsController < ApplicationController
  before_filter :authenticate!, :only => [ :new, :create, :edit, :update ]
  #...
end

And finally my session controller looks like this:

class SessionController < ApplicationController
  before_filter :authenticate!, :only => [ :create ]

  def create
    if session[:authenticate_uri]
      redirect_to(session[:authenticate_uri])
      session[:authenticate_uri] = nil
    else
      redirect_to(new_event_path)
    end
  end

  def destroy
    session[:logged_out] = @current_user.id
    redirect_to '/'
  end

  protected

  def authenticate!
    authenticate_or_request_with_http_basic("Rankings") do |username, password|
      @current_user = User.find_by_name_and_crypted_password(username, User.digest(password))
      if @current_user && session[:logged_out] == @current_user.id
        @current_user = nil
        session[:logged_out] = nil
      end
      !@current_user.nil?
    end
  end

end

And don't forget your routes!

  map.logout 'login', :controller => 'session', :action => 'create'
  map.logout 'logout', :controller => 'session', :action => 'destroy'

Answer 6

This link explains quite well how to do it: http://edendevelopment.co.uk/blogs/company/2009/03/23/under-the-hood-not-so-basic-authentication/

Answer 7

This only works for IE 6 SP1+:

javascript:void(document.execCommand('ClearAuthenticationCache', false)); 

http://msdn.microsoft.com/en-us/library/ms536979(VS.85).aspx

Note that this will clear the cache for all sites the user is currently logged into (within the same IE instance).

Answer 8

One way to fix this is to disable "basic http authentication" completely

But we needed this for good user experience during Ajax actions, so we enabled this authentication only for ajax actions

def login_from_basic_auth

  return false unless request.xhr?

   authenticate_with_http_basic do |login, password|
     self.current_user = User.authenticate(login, password)
   end
end