Have Geek Brain

RoR: AuthenticatedSystem incorrectly redirects Safari to Safari

I've been banging my head about this for days now:

I have a RoR application using AuthenticatedSystem that requires authentication for some resources. A before_filter checks if the user is logged in. If not, it grabs request.request_uri and puts it in a session variable (session [: return_to]) and then sends the user to the login page via a 302 redirect message. Then after login, the user is redirected back to the url in session [: return_to].

This works great in IE and Firefox. In Safari, the request.request_uri on the initial before_filter is empty and the session controller is always redirected to the main page.

Has anyone encountered this before? The only clue I have is that the web inspector for Safari doesn't even show a prompt for the start page, only a login prompt. In Firefox I see both requests.

Here before_filter:

def login_required
  if !authorized?
    session[:return_to] = request.request_uri
    redirect_to new_session_path
  end
end

Here's session / create:

def create
  self.current_user = User.authenticate(params[:login], params[:password])
  if logged_in?
    if params[:remember_me] == "1"
      current_user.remember_me unless current_user.remember_token?
      cookies[:auth_token] = { :value => self.current_user.remember_token , :expires => self.current_user.remember_token_expires_at }
    end
    redirect_back_or_default('/')
    flash[:notice] = "Logged in successfully"
  else
    flash.now[:error] = "Authentication failed."
    render :action => 'new'
  end
end

Any ideas?

0


a source to share


1 answer


So, just in case someone comes across this ...

The answer seems to be that there is aggressive blocking of third party cookies in Safari. This error happened in the bookmarklet, which is basically an iframe added to a third party DOM website when the user decides to use it (don't worry, it's for something similar to the FriendFeed shortcut - basically a way for users to add content from other sites without leaving these sites).

Anyway, in this case, Safari treats the session cookie that Rails is trying to set as third-party, even though it's set from within the iframe. So all session variables are lost on redirection.



There are two possible solutions:

  • inform users to allow third party cookies (unhappy with this option).
  • pass the url "return_to" along with the form data and get it in the session controller (best option)
0


a source






More articles:


All Articles