320ff01e07
Remove the "Remember" checkbox from the login page. Make session cookies permanent instead. Phase out legacy `user_name` and `password_hash` cookies. Previously a user's session cookies would be cleared whenever they closed their browser window, which would log them out of the site. To work around this, when the "Remember" box was checked on the login page (which it was by default), the user's name and password hash (!) would be stored in separate permanent cookies, which would be used to automatically log the user back in when their session cookies were cleared. We can avoid all of this just by making the session cookies themselves permanent.
33 lines
874 B
Ruby
33 lines
874 B
Ruby
class SessionsController < ApplicationController
|
|
respond_to :html, :json
|
|
skip_forgery_protection only: :create, if: -> { !request.format.html? }
|
|
|
|
def new
|
|
@user = User.new
|
|
end
|
|
|
|
def create
|
|
session_creator = SessionCreator.new(session, params[:name], params[:password], request.remote_ip)
|
|
|
|
if session_creator.authenticate
|
|
url = params[:url] if params[:url] && params[:url].start_with?("/")
|
|
url = posts_path if url.nil?
|
|
respond_with(session_creator.user, location: url, methods: [:api_token])
|
|
else
|
|
flash.now[:notice] = "Password was incorrect"
|
|
raise SessionLoader::AuthenticationFailure
|
|
end
|
|
end
|
|
|
|
def destroy
|
|
session.delete(:user_id)
|
|
cookies.delete(:user_name)
|
|
cookies.delete(:password_hash)
|
|
redirect_to(posts_path, :notice => "You are now logged out")
|
|
end
|
|
|
|
def sign_out
|
|
destroy()
|
|
end
|
|
end
|