Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Automatic sign-out after sign-in #273

Closed
dejanstrbac opened this issue May 16, 2010 · 5 comments
Closed

Automatic sign-out after sign-in #273

dejanstrbac opened this issue May 16, 2010 · 5 comments

Comments

@dejanstrbac
Copy link

If a timeout occurs, and user is not aware of it, clicking on sign out will bring up a sign-in page; after the signed-in the user is redirected out with signing out.

It's silly, but there are two things we could do:

  • do not require signing-in if timeout occurred and the action being taken is sign-out
  • clear/ignore stored_location_for() after sign_in if it is equal to sign-out path
@josevalim
Copy link
Contributor

Could you please work in a failing test case or a patch?

@dejanstrbac
Copy link
Author

yup, looking into it

@josevalim
Copy link
Contributor

I guess the simpler solution would be always allow the sign_out action to be executed, doesn't matter if the user is signed in or not. It's supposed to work this way currently, but for someone reason it's not, can you please investigate?

@dejanstrbac
Copy link
Author

You are right, that would be the best way. No matter if there was a timeout, sign-out action should always redirect to after_sign_out_path_for, which is expected by the user. Throwing the sign_in page after a sign_out click is a no-no.

However, I see two issues here.

  1. there is the potential attack vulnerability for looping, signing out automatically after sign-in. No matter how dull that may be, or how it could be exploited, doubts should be eliminated. Excuse my monkey patch (v1.0.7), it will prevent automatic sign-out:
  def sign_in_and_redirect(resource_or_scope, resource=nil, skip=false)
    scope      = Devise::Mapping.find_scope!(resource_or_scope)
    resource ||= resource_or_scope
    sign_in(scope, resource) unless skip
    ###
    sl = nil if (sl = stored_location_for(scope)) == destroy_session_path(scope)
    redirect_to sl || after_sign_in_path_for(resource)
    ###
  end

Feels like this checking for stored_location and determining the right path should be a part of after_sign_in_path_for.

  1. Timeoutable works after a request but not knowing know what it was. In case it's a sign-out it will still redirect to the sign-in page:
  if record.timedout?(last_request_at)
    warden.logout(scope)
    throw :warden, :scope => scope, :message => :timeout
  end

Adding here another check if the request is a sign-out might work... Haven't directly worked with warden, got to check out this deeper.

Cheers

@josevalim
Copy link
Contributor

Check if the user is already signing out before timing out his connection, closed by 5e1ef93.

This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@josevalim @dejanstrbac