Conflicting sessions?

[kez]

Hello -

I am using Sequel to store session objects (Ramaze::Cache.options.session = Ramaze::Cache::Sequel.using(...)) and am experiencing session overwriting/conflicts between browsers.  E.g.:

 - Open Safari and log in as User 1

 - Open Firefox and log in as User 2

 - Switch back to Safari and refresh; We are now running as User 2

Am I right in thinking that the session ID is keyed off the IP of the user logging in, so the most recent matching key in the session store wins out? (e.g. User 2).

Do I need to somehow tie the session to a cookie stored on a per-browser basis?  I (obviously) do not have a great understanding of this stuff, so any insight would be greatly appreciated.  What I am looking for is something similar to how Google behaves (multiple browsers can have different users logged in).

Cheers!

- kez

[Yorick Peterse]

Dear Kez,

Sessions are tied to a session ID, this session ID is stored in a cookie
in the browser. How are you authenticating users, are you using the User
helper?

Yorick

> --
> You received this message because you are subscribed to the Google
> Groups "Ramaze" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/ramaze/-/bh3NY1BpkVgJ.
> To post to this group, send email to ram...@googlegroups.com.
> To unsubscribe from this group, send email to
> ramaze+un...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/ramaze?hl=en.

[kez]

Hi Yorick -

Yup, using:

  user_login(request.subset(:login, :password))

To actually do the login.  My login or user is like this:

  def login_or_user(login)

   @user = nil

  

   if login

     @user = User[:email => login]

   elsif logged_in?

     @user = user

   else

     nil

   end

  end

Not sure if that should be ::User or not?  The same behaviour happens without the caching via Sequel, too.

Do you know of any up to date sample code for the User helper?  I'm on 2012.03.07

Cheers,

- kez

> ramaze+unsubscribe@googlegroups.com.

[Yorick Peterse]

Dear Kez,

The authentication method should not store any objects in an instance of
a controller as that could conflict with other data (although it
shouldn't conflict with different sessions). In other words, this is
wrong:

    class User < Sequel::Model
      def self.authenticate(creds)
        # This assumes you're not hashing passwords (or supplying pre
        # hashed ones), *DON'T* use this in production.
        @user = User[
          :email    => creds['email'],
          :password => creds['password']
        ]

        if user
          return @user
        else
          return false
        end
      end
    end

This however is correct (note the use of local variables):

    class User < Sequel::Model
      def self.authenticate(creds)
        # This assumes you're not hashing passwords (or supplying pre
        # hashed ones), *DON'T* use this in production.
        user = User[
          :email    => creds['email'],
          :password => creds['password']
        ]

        if user
          return user
        else
          return false
        end
      end
    end

The reason the former is incorrect is that the instance variables will
be saved on class level (since the authenticate method is a class
method), this means that once it's set it's available for other users
(or more precisely, requests) as well.

If you want to access the user object after a user has been logged in
you can do so by simply calling `user` inside your controller, this is a
method that returns the user object for the current session.

Yorick

To view this discussion on the web visit https://groups.google.com/d/msg/ramaze/-/MOnx0CH-7dMJ.

To post to this group, send email to ram...@googlegroups.com.

To unsubscribe from this group, send email to ramaze+un...@googlegroups.com.

[kez]

Thanks Yorick.  I should have pasted code out of my user model; sorry.  This is what I have:

  # Try and authenticate ourselves

  def self.authenticate(hash)

    email, pass = hash['login'], hash['password']

    

    if user = ::User[:email => email]

      return user unless pass

      user if user.authenticated?(pass)

    end

  end

Where user.authenticated? is a bcrypt password conversion between what's in the DB and what the user gave us. 

I also just changed my logic in the Controller class to this:

 def login_or_user(login)

   user = nil

  

   if login

     user = ::User[:email => login]

   elsif logged_in?

     user

   else

     nil

   end

  end

Which doesn't seem to make much difference :[

Cheers,

kez

To unsubscribe from this group, send email to ramaze+unsubscribe@googlegroups.com.

[Yorick Peterse]

Dear Kez,

I'm not entirely sure if I fully understand the logic of your
authenticate method, does it work when you change it to the following?:

    def self.authenticate(hash)
      email, pass = hash['login'], hash['password']

      if user = User[:email => email]

        if user.authenticated?(pass)

          return user
        else
          return false
        end

      else
        return false
      end
    end

I'm not sure if this changes anything but it's worth a try.

Yorick

To view this discussion on the web visit https://groups.google.com/d/msg/ramaze/-/rcGSLL7O_AwJ.

To post to this group, send email to ram...@googlegroups.com.

To unsubscribe from this group, send email to ramaze+un...@googlegroups.com.

[Kester Dobson]

Yorick -

Interestingly I switched out the sequel cache adapter for the redis one with the latest release and this behaviour has righted itself, which leads me to believe that perhaps there is an issue with the sequel cache. 

I will try and put together a small example to demonstrate this. 

Cheers,

Kez