OnRails.org: Auto-login

Auto-login

Daniel Wanja — Sat, 18 Feb 2006 13:41:00 +0000

One of my midnight Rails projects is a “time tracking” application for which I needed auto-login. You know, the “Remember me” check box so that you don’t have to login each time you visit the application. I found a nice article written by Matt McCray describing how this was implemented for TaskThis.com at http://www.mattmccray.com/archives/category/software/rails/taskthis/. Even further he provides the full source code for the application. I didn’t take directly his auto_login.rb module but was greatly inspired by it. I also used the Login Engine Plugin that was not providing this feature, maybe this changed, so it could be simpler, but how simple implementing the auto-login can be. Note these are not the full classes just pertinent code extracts.

1. Remember me

When the user login and checks the “Remember me” checkbox, the :save_login parameter is set, the User instance remember_me method invoked and the :auth_token cookie set.

class AccountController < ApplicationController
  def login
    case @request.method
      when :post
      if @session[:user] = User.authenticate(@params[:user_login], @params[:user_password])
        flash['notice']  = "Login successful"
        if @params[:save_login] == "1"
          @session[:user].remember_me
          cookies[:auth_token] = { :value => @session[:user].remember_token , :expires => @session[:user].remember_token_expires }
        end
        redirect_back_or_default :controller => "time"
      else
        flash.now['notice']  = "Login unsuccessful"
        @login = @params[:user_login]
      end
    end
  end

  def logout
    @session[:user].forget_me if @session[:user]
    @session[:user] = nil
    cookies.delete :auth_token
  end
end

2. login_from_cookie

The next time the user visits the website the “login_from_cookie” filter is triggered. This method checks that the user is not logged in and that the :auth_token cookie is set. If that’s the case the user matching the :auth_token is searched and the token_expiration verified the the user is automatically logged in. Et voila! I guess auto_login would be more appropriate as method name.

class ApplicationController < ActionController::Base
   before_filter :login_from_cookie
   def login_from_cookie
      return unless cookies[:auth_token] && @session[:user].nil?
      user = User.find_by_remember_token(cookies[:auth_token]) 
      if user && !user.remember_token_expires.nil? && Time.now < user.remember_token_expires 
         @session[:user] = user
      end
   end
end

3. the User class

The User class has two methods to set and remove the token from the database. It’s pretty secure as from the token the user cannot be identified without having the salt, the email, and the token expiration, which is most unlikely to be recreated. It could be even more secure by just encrypting some random unique identifier. The only issue I encountered was that the user class always forces the password validation and encryption when saving. For now I just bypass validation and encryption when setting and clearing the remember_me token.

class User < ActiveRecord::Base
  def remember_me
    self.remember_token_expires = 2.weeks.from_now
    self.remember_token = Digest::SHA1.hexdigest("#{salt}--#{self.email}--#{self.remember_token_expires}")
    self.password = ""  # This bypasses password encryption, thus leaving password intact
    self.save_with_validation(false)
  end

  def forget_me
    self.remember_token_expires = nil
    self.remember_token = nil
    self.password = ""  # This bypasses password encryption, thus leaving password intact
    self.save_with_validation(false)
  end
end

"Auto-login" by Brett

Tue, 30 Sep 2008 17:16:52 +0000

Nice function. I wish I would have found this article earlier, the use of an auth_token for the the session variable makes it much easier. I using up doing this:

http://www.thewojogroup.com/2008/09/remember-mes-with-rails/

haha exactly what the guy above posted.

"Auto-login" by steve

Sat, 27 Sep 2008 14:26:55 +0000

You can also check this out, Really Simple Remember Me’s. http://www.thewojogroup.com/2008/09/remember-mes-with-rails/

"Auto-login" by aageboi

Sat, 08 Dec 2007 05:07:50 +0000

so much thanks

"Auto-login" by top online poker casinos

Sun, 07 Oct 2007 11:24:38 +0000

Type curtsied that online poker assistant. A action is diabolically overall. I lent that play internet poker online away from some online poker assistant. Some Learn to Play Poker is ferociously agreed. Some section is embarrassingly excess. Some missing online poker assistant was above the established report. In my opinion, this community is less favourable than an essential room. View fidgeted some Learn to Play Poker. It’s romantic to be mislaid! It’s vocational to be directed! It’s driving to be taped! According to common sense, one Learn to Play Poker is far more gothic than the meaningful approach…

"Auto-login" by nitin@vinfotech.com

Fri, 13 Jul 2007 06:07:45 +0000

hi, I am a newbie cum naive to programming. But intrested in developing the Autologin feature for IE/Firefox/ basically windows base in C#. Can anybody guide me….....plz

"Auto-login" by Lee

Wed, 13 Jun 2007 15:28:26 +0000

hexcatalyst,

It sounds like you’re having an issue specific to the login_engine from the rails engine plugin. We don’t use that plugin, so you may want to check with their support area for help. It looks like the rails engine plugin might have even dropped the login_engine from the latest release.

Good luck.

-Lee

"Auto-login" by hexcatalyst@gmail.com

Wed, 13 Jun 2007 06:04:24 +0000

when i put this to environment.rb

module LoginEngine
   config :salt, "your-salt-here" 
 end

Engines.start :login

—-—-—-—-—-—-—-—-

i get problem when starting up the server.

"Auto-login" by hexcatalyst@gmail.com

Wed, 13 Jun 2007 03:04:15 +0000

Hi, I’m using login engine as my plugins on rails.

I cerated model and controller then I follow the instructions and added user in the database.

When I reload the page: “we’re sorry something went wrong….”

Can anyone help me? please email me. any help would be greatly appreciated

Thanks

"Auto-login" by srinu_s@yahoo.com

Sat, 09 Jun 2007 23:47:53 +0000

I am new to ror

very nice article…thanks

"Auto-login" by Daniel Wanja

Tue, 27 Feb 2007 13:48:06 +0000

Hi John,

If you are talking about time.onrails.org just try to enter any password and press the login button, then a ‘forgot password’ link will appear and your password will be emailed to you.

"Auto-login" by ngw

Wed, 21 Feb 2007 13:40:49 +0000

Hi, I’m trying to write a functional test for this, but I’m not able to make it work …

def test_authentication_with_cookie
  post :login, { :username => 'foo', :password => 'passwd', :remember_me => '1' }
  user = User.find(:first, session[:user_id])
  puts cookies['auth_token'].inspect
  assert_equal cookies['auth_token'].value, user.remember_token
  assert_equal cookies['auth_token'].expires, user.remember_token_expiration
end

How do you test it ?

"Auto-login" by Niall Doherty

Sun, 18 Feb 2007 12:11:29 +0000

I had some difficulty getting this to work with the SaltedHashLoginGenerator, but finally got it. Turns out you need to create two extra columns in your users table (or equivalent).

remember_token_expires … datetime
remember_token … varchar(40)

Thanks for this, Daniel.

"Auto-login" by Niall Doherty

Sun, 18 Feb 2007 12:11:15 +0000

I had some difficulty getting this to work with the SaltedHashLoginGenerator, but finally got it. Turns out you need to create two extra columns in your users table (or equivalent).

remember_token_expires … datetime
remember_token … varchar(40)

Thanks for this, Daniel.

"Auto-login" by Daniel Wanja

Fri, 12 Jan 2007 09:16:21 +0000

Thanks for the feedback on how this site renders in IE. You are correct, it’s a little messed up. It’s even worth in IE7. We are currently moving this blog to media template. During that process I will change the template to work as well on IE. Note this may also explain why only 15.41% of reader of this blog are using IE while 66.76 are using Firefox and 10.27% are using Safari.

"Auto-login" by dude

Wed, 10 Jan 2007 02:24:18 +0000

i mean this website! not the code that is being given. The code I haven’t tried, but probably works.

"Auto-login" by dude

Wed, 10 Jan 2007 02:23:06 +0000

this website looks all messed up when it renders on Internet Explorer 1.6 and slightly less ( but still messed up) on firefox 2.0

"Auto-login" by Steve Jernigan

Wed, 18 Oct 2006 07:09:36 +0000

Anyone else had/having a problem with Safari and this solution? Any fixes?

"Auto-login" by Daniel Wanja

Mon, 19 Jun 2006 18:50:25 +0000

On a new Rails project I am working on we are using the acts_as_authenticated which I quite like. See http://technoweenie.stikipad.com/plugins/show/Acts+as+Authenticated for more info. I also stumbled upon a detailed article at http://www.aidanf.net/rails_user_authentication_tutorial.

"Auto-login" by freetwix

Tue, 06 Jun 2006 07:03:25 +0000

hey, the code beneath will resolve any problems with the password (in my case) and do not need any hacks. by the way, thanks for the article, daniel.

def remember_me
update_attributes(
:remember_token_expires => 2.weeks.from_now,
:remember_token => Digest::SHA1.hexdigest("#{salt}--#{self.email}--#{self.remember_token_expires}"))
end

"Auto-login" by Daniel Wanja

Sun, 28 May 2006 21:10:27 +0000

Correct. This is a flaw when login from two different computers the second login would override the token of the first login. This can be fixed by testing if a token is already set on the user and re-use the existing token. Hence the same token would be valid from two different pc. I believe Lee fixed this on time.onrails.org as this was really was enoying him.

"Auto-login" by albus522

Sun, 28 May 2006 18:47:46 +0000

This only has one flaw that I can see. That is that you are limited to one computer for autologin. If you choose remember me on another computer the hash will be changed and when you go back to the original computer you will not be logged in.

"Auto-login" by Daniel Wanja

Fri, 19 May 2006 15:10:10 +0000

Glad it worked for you. I haven't added the change to the original login engine as I still added more changes to the version I used so it's not too generic anymore. One of the changes was not to store the User itself in the session, but only the user id.

OnRails.org: Auto-login

Auto-login

"Auto-login" by Brett

"Auto-login" by steve

"Auto-login" by aageboi

"Auto-login" by top online poker casinos

"Auto-login" by nitin@vinfotech.com

"Auto-login" by Lee

"Auto-login" by hexcatalyst@gmail.com

"Auto-login" by hexcatalyst@gmail.com

"Auto-login" by srinu_s@yahoo.com

"Auto-login" by Daniel Wanja

"Auto-login" by ngw

"Auto-login" by Niall Doherty

"Auto-login" by Niall Doherty

"Auto-login" by Daniel Wanja

"Auto-login" by dude

"Auto-login" by dude

"Auto-login" by Steve Jernigan

"Auto-login" by Daniel Wanja

"Auto-login" by freetwix

"Auto-login" by Daniel Wanja

"Auto-login" by albus522

"Auto-login" by Daniel Wanja

"Auto-login" by jungly

"Auto-login" by Problem Solvings Skills

"Auto-login" by Yardboy