You''ll need to install the ''openid'' gem for this, and
require it in
your camping app:
class Login < R ''/login''
def get
this_url = ''http:'' +
URL(''/login'').to_s
unless input.finish.to_s == ''1''
# start doing the auth here
begin
oid_request = OpenID::Consumer.new(@state,
nil).begin(input.openid_identity)
oid_request.return_to_args[''finish''] =
''1''
redirect(oid_request.redirect_url(''http:'' +
URL(''/'').to_s, this_url))
rescue OpenID::DiscoveryFailure
return ''Couldn\''t find an OpenID at that address,
are you
sure it is one?''
end
else
# finish the auth here
response = OpenID::Consumer.new(@state,
nil).complete(input, this_url)
case response.status
when OpenID::Consumer::SUCCESS
@state.identity = response.identity_url.to_s
return redirect(R(HomeScreen))
when OpenID::Consumer::FAILURE
''The OpenID thing doesn\''t think you really are
that
person, they said: '' + response.message
end
end
end
end
Then just point a form at /login with an input by the name of
openid_identifier, and you have yourself some auth! It will set
@state.identity to their OpenID URL. Using this you can auth people
with existing aol, lifejournal, yahoo accounts, and a lot of littler
openid provider''s too. It could sure use some upgrades in the error
reporting department, which you could hook up to your own error pages
or whatever. I''ll be using this in an app which doesn''t use
any
relational databases, just file system storage. You''ll probably want
to change the ''return redirect(R(HomeScreen))'' line near the
end to
some page in your app that logged in user''s go to before you take this
online too. :)
Public Domain.
?
Jenna
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://rubyforge.org/pipermail/camping-list/attachments/20080519/79792dc8/attachment.html>
Okay, so I cleaned this up a little, made it suck less when using it in CGI camping, and put it on the wiki (which should really support OpenID! I had to register a RubyForge account and had all problems getting the account activated to contribute! Darn you ruby forge!) So here it is, OpenID on Wiki! http://code.whytheluckystiff.net/camping/wiki/AuthenticatingOpenIDs Also, check out Cookie Sessions! http://code.whytheluckystiff.net/camping/wiki/CookieSessions They''re hip, they''re new, they''re slightly worrying but if you think about it secure anyway, and they don''t mess up your database or filesystem with a bunch of files!
Also, here''s a simple way to stop XSS dead! http://code.whytheluckystiff.net/camping/wiki/XssBeGoneWithSessions ? Jenna ?is hoping all this will earn here some oats!? Fox
Everyone can read their session, though. I can post an example which encrypts everything (don''t expect it to be super-fast). On Tue, May 20, 2008 at 7:30 AM, Bluebie, Jenna <blueberry at creativepony.com> wrote:> Also, here''s a simple way to stop XSS dead! > http://code.whytheluckystiff.net/camping/wiki/XssBeGoneWithSessions > > ? > Jenna "is hoping all this will earn here some oats!" Fox > > _______________________________________________ > Camping-list mailing list > Camping-list at rubyforge.org > http://rubyforge.org/mailman/listinfo/camping-list >-- Magnus Holm -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://rubyforge.org/pipermail/camping-list/attachments/20080520/acf2bf34/attachment.html>
Sure, but if you''re building an app that keeps secrets about me from me, I''d rather not use it, thank you. On 20/05/2008, at 6:01 PM, Magnus Holm wrote:> Everyone can read their session, though. I can post an example which > encrypts everything (don''t expect it to be super-fast). > > On Tue, May 20, 2008 at 7:30 AM, Bluebie, Jenna <blueberry at creativepony.com > > wrote: > Also, here''s a simple way to stop XSS dead! http://code.whytheluckystiff.net/camping/wiki/XssBeGoneWithSessions > > ? > Jenna "is hoping all this will earn here some oats!" Fox > > _______________________________________________ > Camping-list mailing list > Camping-list at rubyforge.org > http://rubyforge.org/mailman/listinfo/camping-list > > > > -- > Magnus Holm _______________________________________________ > Camping-list mailing list > Camping-list at rubyforge.org > http://rubyforge.org/mailman/listinfo/camping-list-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://rubyforge.org/pipermail/camping-list/attachments/20080520/8e8a5960/attachment-0001.html>
Cookies can be stealt. I''m protecting you against yourself :-P 2008/5/20, Bluebie, Jenna <blueberry at creativepony.com>:> Sure, but if you''re building an app that keeps secrets about me from > me, I''d rather not use it, thank you. > > > On 20/05/2008, at 6:01 PM, Magnus Holm wrote: > >> Everyone can read their session, though. I can post an example which >> encrypts everything (don''t expect it to be super-fast). >> >> On Tue, May 20, 2008 at 7:30 AM, Bluebie, Jenna >> <blueberry at creativepony.com >> > wrote: >> Also, here''s a simple way to stop XSS dead! >> http://code.whytheluckystiff.net/camping/wiki/XssBeGoneWithSessions >> >> ? >> Jenna "is hoping all this will earn here some oats!" Fox >> >> _______________________________________________ >> Camping-list mailing list >> Camping-list at rubyforge.org >> http://rubyforge.org/mailman/listinfo/camping-list >> >> >> >> -- >> Magnus Holm _______________________________________________ >> Camping-list mailing list >> Camping-list at rubyforge.org >> http://rubyforge.org/mailman/listinfo/camping-list > >-- Magnus Holm
How does encrypting them make any difference against steal-ability? Wouldn''t putting the IP address of the user be more to the point? Though that would lock out many user''s from ISP''s using proxies. I''m certainly aware of XSS issues and even posted a simple way of blocking them in camping controllers which you''ll find 3 replies ago. Encrypting cookies wont change that issue one bit. On 20/05/2008, at 7:01 PM, Magnus Holm wrote:> Cookies can be stealt. I''m protecting you against yourself :-P > > 2008/5/20, Bluebie, Jenna <blueberry at creativepony.com>: >> Sure, but if you''re building an app that keeps secrets about me from >> me, I''d rather not use it, thank you. >> >> >> On 20/05/2008, at 6:01 PM, Magnus Holm wrote: >> >>> Everyone can read their session, though. I can post an example which >>> encrypts everything (don''t expect it to be super-fast). >>> >>> On Tue, May 20, 2008 at 7:30 AM, Bluebie, Jenna >>> <blueberry at creativepony.com >>>> wrote: >>> Also, here''s a simple way to stop XSS dead! >>> http://code.whytheluckystiff.net/camping/wiki/XssBeGoneWithSessions >>> >>> ? >>> Jenna "is hoping all this will earn here some oats!" Fox >>> >>> _______________________________________________ >>> Camping-list mailing list >>> Camping-list at rubyforge.org >>> http://rubyforge.org/mailman/listinfo/camping-list >>> >>> >>> >>> -- >>> Magnus Holm _______________________________________________ >>> Camping-list mailing list >>> Camping-list at rubyforge.org >>> http://rubyforge.org/mailman/listinfo/camping-list >> >> > > > -- > Magnus Holm > _______________________________________________ > Camping-list mailing list > Camping-list at rubyforge.org > http://rubyforge.org/mailman/listinfo/camping-list