Rails - Nov 2004 - Holding a logged

Folks,

What''re your recommendations for holding the state of a logged-in
user, such that I can access it from a view?

I''m want to use layouts, but display different layout content for
logged-on users and those who aren''t authenticated.

All thoughts & experiences welcome.

Cheers,

RoRy
http://ontherails.blogspot.com

On Fri, 5 Nov 2004 13:26:32 +0000, On The Rails
<ontherails-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> I''m want to use layouts, but display different layout content for
> logged-on users and those who aren''t authenticated.
The ''layout'' method can take a symbol as an argument which
points to
another method. The other method can be used to check the status of
the user and return the proper layout file to use. I.e.:

...
layout :choose_layout
...
def choose_layout
  if @session[''logged_in_user'']
    ''layouts/logged_in''
  else
    ''layouts/not_logged_in''
  end
end
...

-- 
Regards,
John Wilger

-----------
Alice came to a fork in the road. "Which road do I take?" she asked.
"Where do you want to go?" responded the Cheshire cat.
"I don''t know," Alice answered.
"Then," said the cat, "it doesn''t matter."
- Lewis Carrol, Alice in Wonderland

On Fri, Nov 05, 2004 at 01:26:32PM +0000, On The Rails
wrote:
> Folks,
> 
> What''re your recommendations for holding the state of a logged-in
> user, such that I can access it from a view?
> 
> I''m want to use layouts, but display different layout content for
> logged-on users and those who aren''t authenticated.
> 
> All thoughts & experiences welcome.
> 
> Cheers,
> 
> RoRy
> http://ontherails.blogspot.com
Hi,

If you mean that you want a different layout depending on whether or not
the user is logged in, the layout call can take a symbol (and I think a
block or a Proc too), so you could do something like (in your
controller):

layout :choose_layout

def choose_layout
  if logged_in?
    ''layouts/logged_in''
  else
    ''layouts/not_logged_in''
end

For example (where logged_in? is just something I made up, you''d
probably check the session or something, depending on your log in
scheme).  I use this in some controllers where I have an action or two
that require a different (or no) layout.  Am I understanding your
question correctly?

-Scott

Thanks John/ Scott, that''s quite neat actually.

That said, it''s not so much that I want to display a whole different
layout. Rather, I''m trying to display different _parts_ of a layout.
Sounds like I just use ruby to check conditions in the rhtml templates
like you have above.

Scott alluded to what I was getting at actually. It''s the session
object I''m grappling with (noob web-app developer here).  That is,
where and how should I setup and maintain this "logged_in_user"
attribute? In the authentication method? Is this better than having a
"logged_in?" method on my person model? etc. etc.

RoRy
http://ontherails.blogspot.com

On Fri, 5 Nov 2004 08:33:26 -0500, John Wilger
<johnwilger-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> On Fri, 5 Nov 2004 13:26:32 +0000, On The Rails
<ontherails-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> > I''m want to use layouts, but display different layout content
for
> > logged-on users and those who aren''t authenticated.
>
> The ''layout'' method can take a symbol as an argument
which points to
> another method. The other method can be used to check the status of
> the user and return the proper layout file to use. I.e.:
>
> ...
> layout :choose_layout
> ...
> def choose_layout
>  if @session[''logged_in_user'']
>    ''layouts/logged_in''
>  else
>    ''layouts/not_logged_in''
>  end
> end
> ...
>
> --
> Regards,
> John Wilger
>
> -----------
> Alice came to a fork in the road. "Which road do I take?" she
asked.
> "Where do you want to go?" responded the Cheshire cat.
> "I don''t know," Alice answered.
> "Then," said the cat, "it doesn''t matter."
> - Lewis Carrol, Alice in Wonderland
>

On Fri, 5 Nov 2004 13:46:28 +0000, On The Rails
<ontherails-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> That said, it''s not so much that I want to display a whole
different
> layout. Rather, I''m trying to display different _parts_ of a
layout.
> Sounds like I just use ruby to check conditions in the rhtml templates
> like you have above.
You _could_ do it in the template---however that seems to me to be in
the gray area of the line separating business logic (which belongs in
your controller) and presentation logic (which belongs in the view).
I''m still a bit new to Rails/Ruby myself, so I''m not
necessarily the
best person to comment on the best way to achieve this separation in
this case. Then again, the agile way is to "do the simplest thing that
could possibly work," so I might not worry about it too much. ;-)
> It''s the session object I''m grappling with however (noob
web-app
> developer here).  That is, where and how should I setup and maintain
> this "logged_in_user" attribute? In the authentication method? Is
this
> better than having a "logged_in?" method on my person model? etc.
etc.
There are certainly a lot of ways you could approach this, however the
most straightforward is to simply store the Person object representing
the logged in user directly in the session. You could create a
LoginController with an authenticate action that finds the correct
Person object (based on username and password supplied) and inserts
that object into a session variable (i.e.
@session[''current_user''] authenticated_user_person_object).

Then all you have to do is check against
@session[''current_user''] or
@session[''current_user''].nil? to see if they are logged in or
not.
Also, make sure your logout action sets
@session[''current_user''] = nil
and/or destroys the session.

-- 
Regards,
John Wilger

-----------
Alice came to a fork in the road. "Which road do I take?" she asked.
"Where do you want to go?" responded the Cheshire cat.
"I don''t know," Alice answered.
"Then," said the cat, "it doesn''t matter."
- Lewis Carrol, Alice in Wonderland

Thanks John, I thought it would (should?!) be more complex than that.
Either way, that''s the sort of 101 stuff I was looking for.


On Fri, 5 Nov 2004 09:04:55 -0500, John Wilger
<johnwilger-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> On Fri, 5 Nov 2004 13:46:28 +0000, On The Rails
<ontherails-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> > That said, it''s not so much that I want to display a whole
different
> > layout. Rather, I''m trying to display different _parts_ of a
layout.
> > Sounds like I just use ruby to check conditions in the rhtml templates
> > like you have above.
> 
> You _could_ do it in the template---however that seems to me to be in
> the gray area of the line separating business logic (which belongs in
> your controller) and presentation logic (which belongs in the view).
> I''m still a bit new to Rails/Ruby myself, so I''m not
necessarily the
> best person to comment on the best way to achieve this separation in
> this case. Then again, the agile way is to "do the simplest thing that
> could possibly work," so I might not worry about it too much. ;-)
> 
> > It''s the session object I''m grappling with however
(noob web-app
> > developer here).  That is, where and how should I setup and maintain
> > this "logged_in_user" attribute? In the authentication
method? Is this
> > better than having a "logged_in?" method on my person model?
etc. etc.
> 
> There are certainly a lot of ways you could approach this, however the
> most straightforward is to simply store the Person object representing
> the logged in user directly in the session. You could create a
> LoginController with an authenticate action that finds the correct
> Person object (based on username and password supplied) and inserts
> that object into a session variable (i.e.
@session[''current_user''] >
authenticated_user_person_object).
> 
> Then all you have to do is check against
@session[''current_user''] or
> @session[''current_user''].nil? to see if they are logged
in or not.
> Also, make sure your logout action sets
@session[''current_user''] = nil
> and/or destroys the session.
> 
> --
> Regards,
> John Wilger
> 
> -----------
> Alice came to a fork in the road. "Which road do I take?" she
asked.
> "Where do you want to go?" responded the Cheshire cat.
> "I don''t know," Alice answered.
> "Then," said the cat, "it doesn''t matter."
> - Lewis Carrol, Alice in Wonderland
> _______________________________________________
> Rails mailing list
> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>

BTW, the authentication method I described is straight from one of the
Rails howtos: http://www.rubyonrails.org/show/HowtoAuthenticate

-- 
Regards,
John Wilger

-----------
Alice came to a fork in the road. "Which road do I take?" she asked.
"Where do you want to go?" responded the Cheshire cat.
"I don''t know," Alice answered.
"Then," said the cat, "it doesn''t matter."
- Lewis Carrol, Alice in Wonderland

>>>>> "John" == John Wilger
<johnwilger-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> writes:
    John> There are certainly a lot of ways you could approach this,
    John> however the most straightforward is to simply store the
    John> Person object representing the logged in user directly in
    John> the session. You could create a LoginController with an
    John> authenticate action that finds the correct Person object
    John> (based on username and password supplied) and inserts that
    John> object into a session variable
    John> (i.e. @session[''current_user'']     John>
authenticated_user_person_object).

Session is serialized into a cookie, right?  Is this encrypted to
protect the user from updating the value and pretending to be someone
he is not?

Gleb

Session, by default is kept in a binary file on your HD ( /tmp to be exact )
A cookie containing the ID of the session is send out to the user.
Alternatively you can store the session in database or memory.



On Fri, 05 Nov 2004 14:35:48 -0800, Gleb Arshinov
<gleb-T2NBlHa6u1dBDgjK7y7TUQ@public.gmane.org>
wrote:
> >>>>> "John" == John Wilger
<johnwilger-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> writes:
> 
>     John> There are certainly a lot of ways you could approach this,
>     John> however the most straightforward is to simply store the
>     John> Person object representing the logged in user directly in
>     John> the session. You could create a LoginController with an
>     John> authenticate action that finds the correct Person object
>     John> (based on username and password supplied) and inserts that
>     John> object into a session variable
>     John> (i.e. @session[''current_user''] >    
John> authenticated_user_person_object).
> 
> Session is serialized into a cookie, right?  Is this encrypted to
> protect the user from updating the value and pretending to be someone
> he is not?
> 
> Gleb
> 
> 
> _______________________________________________
> Rails mailing list
> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
> 

-- 
Tobi

>>>>> "Tobias" == Tobias Luetke
<tobias.luetke-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> writes:
    Tobias> Session, by default is kept in a binary file on your HD (
    Tobias> /tmp to be exact ) A cookie containing the ID of the
    Tobias> session is send out to the user.  Alternatively you can
    Tobias> store the session in database or memory.

OK, that make more sense now.

Thanks,

Gleb

Tobias Luetke wrote:
>Session, by default is kept in a binary file on your HD ( /tmp to be exact )
>A cookie containing the ID of the session is send out to the user.
>Alternatively you can store the session in database or memory.
>  
>
>>Session is serialized into a cookie, right?  Is this encrypted to
>>protect the user from updating the value and pretending to be someone
>>he is not?
>>    
>>
To answer the original question, the cookie in browser contains session 
ID (which maps HTTP requests from this browser to a particular session 
object on the server).

You can, indeed, change the session ID value on the client side and thus 
pretend to be somebody else. Somebody please correct me if I am wrong - 
but I certainly remember doing it in some debugging session few months ago.

Brgds,
Alex

On 06/11/2004, at 11:04 PM, Alexey Verkhovsky wrote:
> You can, indeed, change the session ID value on the client side and 
> thus pretend to be somebody else. Somebody please correct me if I am 
> wrong - but I certainly remember doing it in some debugging session 
> few months ago.
Isn''t that a risky (from a security point of view)?

/B

-- 
Bruno Mattarollo <bmatt-ee4meeAH724@public.gmane.org>
Currently in: Sydney, Australia
[ http://pokies.typepad.com/virtual_possum/ ]


_______________________________________________
Rails mailing list
Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
http://lists.rubyonrails.org/mailman/listinfo/rails

Tobias Luetke wrote:
>you would have to guess the session ID of someone else. Not bloodly
>likely. Also there is no alternative to this tech. Thats how all
>sessions on the internet are handled.
>  
>
To get it by sniffing on the network traffic, more probably.
A more secure alternative to this tech, as far as I understand it, is 
"all browser <-> server communications go via HTTPS (not just the
login
form)".

In both physical and information security, there is no such thing as 
absolute security - only varying degrees of difficulty and risk to the 
intruder.

Best regards,
Alex

you would have to guess the session ID of someone else. Not bloodly
likely. Also there is no alternative to this tech. Thats how all
sessions on the internet are handled.


On Sun, 7 Nov 2004 01:58:01 +1100, Bruno Mattarollo
<bmatt-ee4meeAH724@public.gmane.org> wrote:
> 
> On 06/11/2004, at 11:04 PM, Alexey Verkhovsky wrote:
> 
> > You can, indeed, change the session ID value on the client side and
> > thus pretnd to be somebody else. Somebody please correct me if I am
> > wrong - but I certainly remember doing it in some debugging session
> > few months ago.
> 
> Isn''t that a risky (from a security point of view)?
> 
> /B
> 
> --
> Bruno Mattarollo <bmatt-ee4meeAH724@public.gmane.org>
> Currently in: Sydney, Australia
> [ http://pokies.typepad.com/virtual_possum/ ]
> 
> 
> _______________________________________________
> Rails mailing list
> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
> 
> 
> 
> 

-- 
Tobi

On Sun, 7 Nov 2004 01:58:01 +1100, Bruno Mattarollo
<bmatt-ee4meeAH724@public.gmane.org> wrote:
> 
> Isn''t that a risky (from a security point of view)?
Best practice is to use a cryptographically safe, non-sequential,
sufficiently random session key.  Guessing such a key would be
comprable to guessing someone''s PGP private key.

-- 
Chris Brooks
http://www.chrisbrooks.org

OK, I have been looking at the CGI library that builds the session ID 
and it''s using MD5 as the digest library.

In a recent crypto conference there were a few concerns about MD5 as a 
"secure" algorithm. There was a somewhat incomprehensible paper 
presented that stated that some collisions could be found in MD5 [ 
http://www.freedom-to-tinker.com/archives/000662.html ]

Anyways, if your sessions only depend on the session ID (which I assume 
is stored in a cookie) and you are only using HTTP then it''s would be 
trivial to "listen" to your network traffic (assuming you can get to 
somewhere where you can actually do that) and get that information. But 
anyways, that was the base for my concern, I wasn''t sure how that 
_session_id number was generated.

Cheers

/B

On 07/11/2004, at 2:55 AM, Tobias Luetke wrote:
> you would have to guess the session ID of someone else. Not bloodly
> likely. Also there is no alternative to this tech. Thats how all
> sessions on the internet are handled.
-- 
Bruno Mattarollo <bmatt-ee4meeAH724@public.gmane.org>
Currently in: Sydney, Australia
[ http://pokies.typepad.com/virtual_possum/ ]


_______________________________________________
Rails mailing list
Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
http://lists.rubyonrails.org/mailman/listinfo/rails

You could always opt to restrict the session to a specific IP.
Wouldn''t stop attackers sharing the same proxy as the target, and
would cause problems for users using load-balancing proxies, but it
could always be an option when logging in...

//F