From 9f94a70c3e3d9bf766cb9663b0a904d30a190d85 Mon Sep 17 00:00:00 2001 From: simon Date: Sun, 8 Feb 2009 23:15:11 +0100 Subject: * initial commit of the stripped restful-authentication * http basic auth and login from cookie have been removed * no it does not work yet, it's so f*cking secure, it won't even let legitimate users login --- app/controllers/sessions_controller.rb | 40 ++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 app/controllers/sessions_controller.rb (limited to 'app/controllers/sessions_controller.rb') diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb new file mode 100644 index 0000000..7c06ac8 --- /dev/null +++ b/app/controllers/sessions_controller.rb @@ -0,0 +1,40 @@ +# This controller handles the login/logout function of the site. +class SessionsController < ApplicationController + + # render new.rhtml + def new + end + + def create + logout_keeping_session! + user = User.authenticate(params[:login], params[:password]) + if user + # Protects against session fixation attacks, causes request forgery + # protection if user resubmits an earlier form using back + # button. Uncomment if you understand the tradeoffs. + reset_session + + self.current_user = user + redirect_back_or_default('/') # TODO: insert appropriate path to cms main page + flash[:notice] = "Logged in successfully" + else + note_failed_signin + @login = params[:login] + @remember_me = params[:remember_me] + render :action => 'new' + end + end + + def destroy + logout_killing_session! + flash[:notice] = "You have been logged out." + redirect_back_or_default('/login') + end + +protected + # Track failed login attempts + def note_failed_signin + flash[:error] = "Couldn't log you in as '#{params[:login]}'" + logger.warn "Failed login for '#{params[:login]}' from #{request.remote_ip} at #{Time.now.utc}" + end +end -- cgit v1.3