http://www.mathewabonyi.com/articles/2006/07/29/authenticated-cookie-safe-fast en-us 40 struggling to dig life <p style="text-align:justify;">I don&#8217;t really think this is deserving of a plugin, but for those of you using Acts as Authenticated who want to really squeeze twice as much out of your application, here&#8217;s one way to do it:</p> <ol> <li>Install Acts as Authenticated</li> <li>Create User model</li> <li>Fix application to expect current_user.is_a? User</li> <li>(optional) Fix application to not use sessions or flash</li> <li>Remove &#8220;include AuthenticatedSystem&#8221; from application.rb</li> <li>Add migration from below</li> <li>Place the following library in your lib and require it in environment.rb</li> <li>Put include AuthenticatedCookie in your application.rb</li> <li>(optional) Turn off sessions by placing the following in your environment.rb:</li> </ol> <div class="typocode"><pre><code class="typocode_ruby "><span class="constant">ActionController</span><span class="punct">::</span><span class="constant">CgiRequest</span><span class="punct">::</span><span class="constant">DEFAULT_SESSION_OPTIONS</span><span class="punct">.</span><span class="ident">update</span><span class="punct">(</span><span class="symbol">:disabled</span> <span class="punct">=&gt;</span> <span class="constant">true</span><span class="punct">)</span></code></pre></div> <h3>Additions to User model</h3> <div class="typocode"><pre><code class="typocode_ruby "> <span class="keyword">def </span><span class="method">self.find_by_key</span><span class="punct">(</span><span class="ident">key</span><span class="punct">,</span> <span class="ident">options</span> <span class="punct">=</span> <span class="punct">{})</span> <span class="ident">find_by_login_key</span><span class="punct">(</span><span class="ident">key</span><span class="punct">,</span> <span class="ident">options</span><span class="punct">.</span><span class="ident">merge</span><span class="punct">(</span><span class="symbol">:conditions</span> <span class="punct">=&gt;</span> <span class="punct">[&quot;</span><span class="string">login_key_expires_at &gt; ?</span><span class="punct">&quot;,</span> <span class="constant">Time</span><span class="punct">.</span><span class="ident">now</span><span class="punct">]))</span> <span class="keyword">end</span> <span class="keyword">def </span><span class="method">self.clear_key</span><span class="punct">(</span><span class="ident">key</span><span class="punct">,</span> <span class="ident">options</span> <span class="punct">=</span> <span class="punct">{})</span> <span class="keyword">if</span> <span class="ident">u</span> <span class="punct">=</span> <span class="ident">find_by_login_key</span><span class="punct">(</span><span class="ident">key</span><span class="punct">,</span> <span class="ident">options</span><span class="punct">)</span> <span class="ident">u</span><span class="punct">.</span><span class="ident">update_attributes</span><span class="punct">(</span><span class="symbol">:login_key</span> <span class="punct">=&gt;</span> <span class="constant">nil</span><span class="punct">,</span> <span class="symbol">:login_key_expires_at</span> <span class="punct">=&gt;</span> <span class="constant">nil</span><span class="punct">)</span> <span class="keyword">end</span> <span class="keyword">end</span> <span class="keyword">def </span><span class="method">create_login_key</span> <span class="constant">self</span><span class="punct">.</span><span class="ident">login_key</span> <span class="punct">=</span> <span class="constant">Digest</span><span class="punct">::</span><span class="constant">SHA1</span><span class="punct">.</span><span class="ident">hexdigest</span><span class="punct">(</span> <span class="constant">Time</span><span class="punct">.</span><span class="ident">now</span><span class="punct">.</span><span class="ident">to_s</span><span class="punct">.</span><span class="ident">split</span><span class="punct">('</span><span class="string">//</span><span class="punct">').</span><span class="ident">sort_by</span> <span class="punct">{</span><span class="ident">rand</span><span class="punct">}.</span><span class="ident">join</span> <span class="punct">)</span> <span class="constant">self</span><span class="punct">.</span><span class="ident">login_key_created_at</span> <span class="punct">=</span> <span class="constant">Time</span><span class="punct">.</span><span class="ident">now</span> <span class="constant">self</span><span class="punct">.</span><span class="ident">login_key_expires_at</span> <span class="punct">=</span> <span class="number">1</span><span class="punct">.</span><span class="ident">week</span><span class="punct">.</span><span class="ident">from_now</span> <span class="constant">self</span><span class="punct">.</span><span class="ident">save</span> <span class="keyword">end</span></code></pre></div> <h3>AddLoginKeysToUsers Migration</h3> <div class="typocode"><pre><code class="typocode_ruby "><span class="keyword">class </span><span class="class">AddLoginKeyToUsers</span> <span class="punct">&lt;</span> <span class="constant">ActiveRecord</span><span class="punct">::</span><span class="constant">Migration</span> <span class="keyword">def </span><span class="method">self.up</span> <span class="comment"># column type options</span> <span class="ident">add_column</span> <span class="symbol">:users</span><span class="punct">,</span> <span class="symbol">:login_key</span><span class="punct">,</span> <span class="symbol">:string</span><span class="punct">,</span> <span class="symbol">:default</span> <span class="punct">=&gt;</span> <span class="constant">nil</span> <span class="ident">add_column</span> <span class="symbol">:users</span><span class="punct">,</span> <span class="symbol">:login_key_created_at</span><span class="punct">,</span> <span class="symbol">:datetime</span><span class="punct">,</span> <span class="symbol">:default</span> <span class="punct">=&gt;</span> <span class="constant">nil</span> <span class="ident">add_column</span> <span class="symbol">:users</span><span class="punct">,</span> <span class="symbol">:login_key_expires_at</span><span class="punct">,</span> <span class="symbol">:datetime</span><span class="punct">,</span> <span class="symbol">:default</span> <span class="punct">=&gt;</span> <span class="constant">nil</span> <span class="ident">add_index</span> <span class="symbol">:users</span><span class="punct">,</span> <span class="symbol">:login_key</span> <span class="keyword">end</span> <span class="keyword">def </span><span class="method">self.down</span> <span class="ident">remove_index</span> <span class="symbol">:users</span><span class="punct">,</span> <span class="symbol">:login_key</span> <span class="ident">remove_column</span> <span class="symbol">:users</span><span class="punct">,</span> <span class="symbol">:login_key_expires_at</span> <span class="ident">remove_column</span> <span class="symbol">:users</span><span class="punct">,</span> <span class="symbol">:login_key_created_at</span> <span class="ident">remove_column</span> <span class="symbol">:users</span><span class="punct">,</span> <span class="symbol">:login_key</span> <span class="keyword">end</span> <span class="keyword">end</span></code></pre></div> <h3>Authenticated Cookie Library</h3> <div class="typocode"><pre><code class="typocode_ruby "><span class="comment"># AuthenicatedCookie</span> <span class="comment"># A hybrid of AAA and my own ideas</span> <span class="comment">#</span> <span class="keyword">module </span><span class="module">AuthenticatedCookie</span> <span class="keyword">def </span><span class="method">self.included</span><span class="punct">(</span><span class="ident">base</span><span class="punct">)</span> <span class="ident">base</span><span class="punct">.</span><span class="ident">send</span> <span class="symbol">:helper_method</span><span class="punct">,</span> <span class="symbol">:logged_in?</span><span class="punct">,</span> <span class="symbol">:current_user</span> <span class="ident">base</span><span class="punct">.</span><span class="ident">send</span> <span class="symbol">:before_filter</span><span class="punct">,</span> <span class="symbol">:login_from_cookie</span> <span class="keyword">end</span> <span class="ident">public</span> <span class="comment"># Login Control</span> <span class="keyword">def </span><span class="method">login_from_cookie</span> <span class="constant">self</span><span class="punct">.</span><span class="ident">current_user</span> <span class="punct">||=</span> <span class="ident">cookie_exists?</span> <span class="punct">?</span> <span class="ident">load_cookie</span> <span class="punct">:</span> <span class="constant">nil</span> <span class="keyword">end</span> <span class="keyword">def </span><span class="method">login_required</span> <span class="ident">logged_in?</span> <span class="punct">?</span> <span class="ident">access_granted</span> <span class="punct">:</span> <span class="ident">access_denied</span> <span class="keyword">end</span> <span class="keyword">def </span><span class="method">logged_in?</span> <span class="constant">self</span><span class="punct">.</span><span class="ident">current_user</span><span class="punct">.</span><span class="ident">is_a?</span> <span class="constant">User</span> <span class="keyword">end</span> <span class="comment"># Current User Control</span> <span class="keyword">def </span><span class="method">current_user=</span><span class="punct">(</span><span class="ident">new_user</span><span class="punct">)</span> <span class="ident">create_cookie</span><span class="punct">(</span><span class="ident">new_user</span><span class="punct">)</span> <span class="keyword">if</span> <span class="ident">new_user</span><span class="punct">.</span><span class="ident">is_a?</span><span class="punct">(</span><span class="constant">User</span><span class="punct">)</span> <span class="punct">&amp;&amp;</span> <span class="punct">!</span><span class="ident">cookie_exists?</span> <span class="ident">destroy_cookie</span> <span class="keyword">if</span> <span class="ident">new_user</span><span class="punct">.</span><span class="ident">nil?</span> <span class="punct">&amp;&amp;</span> <span class="ident">cookie_exists?</span> <span class="attribute">@current_user</span> <span class="punct">=</span> <span class="ident">new_user</span> <span class="keyword">end</span> <span class="keyword">def </span><span class="method">current_user</span> <span class="attribute">@current_user</span> <span class="keyword">end</span> <span class="comment"># Access Responses</span> <span class="keyword">def </span><span class="method">access_granted</span> <span class="constant">true</span> <span class="keyword">end</span> <span class="keyword">def </span><span class="method">access_denied</span> <span class="ident">store_location</span> <span class="ident">redirect_to</span><span class="punct">(</span><span class="ident">login_url</span><span class="punct">)</span> <span class="constant">false</span> <span class="keyword">end</span> <span class="comment"># Redirection Control</span> <span class="keyword">def </span><span class="method">store_location</span> <span class="ident">cookies</span><span class="punct">[</span><span class="symbol">:return_to</span><span class="punct">]</span> <span class="punct">=</span> <span class="punct">{</span> <span class="symbol">:value</span> <span class="punct">=&gt;</span> <span class="ident">request</span><span class="punct">.</span><span class="ident">request_uri</span><span class="punct">,</span> <span class="symbol">:expires</span> <span class="punct">=&gt;</span> <span class="number">1</span><span class="punct">.</span><span class="ident">hour</span><span class="punct">.</span><span class="ident">from_now</span> <span class="punct">}</span> <span class="keyword">end</span> <span class="keyword">def </span><span class="method">redirect_back_or_default</span><span class="punct">(</span><span class="ident">default</span><span class="punct">)</span> <span class="ident">return_to</span> <span class="punct">=</span> <span class="ident">cookies</span><span class="punct">[</span><span class="symbol">:return_to</span><span class="punct">]</span> <span class="punct">||</span> <span class="ident">default</span> <span class="ident">cookies</span><span class="punct">.</span><span class="ident">delete</span><span class="punct">(</span><span class="symbol">:return_to</span><span class="punct">)</span> <span class="keyword">if</span> <span class="ident">cookies</span><span class="punct">[</span><span class="symbol">:return_to</span><span class="punct">]</span> <span class="ident">redirect_to</span> <span class="ident">return_to</span> <span class="keyword">end</span> <span class="keyword">def </span><span class="method">redirect_back</span> <span class="ident">redirect_back_or_default</span><span class="punct">(</span><span class="ident">index_url</span><span class="punct">)</span> <span class="keyword">end</span> <span class="comment"># Cookie CRUD</span> <span class="keyword">def </span><span class="method">auth_cookie</span> <span class="ident">cookies</span><span class="punct">[</span><span class="symbol">:ack</span><span class="punct">]</span> <span class="keyword">end</span> <span class="keyword">def </span><span class="method">cookie_exists?</span> <span class="punct">!</span><span class="ident">auth_cookie</span><span class="punct">.</span><span class="ident">nil?</span> <span class="keyword">end</span> <span class="keyword">def </span><span class="method">create_cookie</span><span class="punct">(</span><span class="ident">user</span><span class="punct">)</span> <span class="keyword">if</span> <span class="ident">user</span><span class="punct">.</span><span class="ident">create_login_key</span> <span class="ident">cookies</span><span class="punct">[</span><span class="symbol">:ack</span><span class="punct">]</span> <span class="punct">=</span> <span class="punct">{</span> <span class="symbol">:value</span> <span class="punct">=&gt;</span> <span class="ident">user</span><span class="punct">.</span><span class="ident">login_key</span><span class="punct">,</span> <span class="symbol">:expires</span> <span class="punct">=&gt;</span> <span class="ident">user</span><span class="punct">.</span><span class="ident">login_key_expires_at</span> <span class="punct">}</span> <span class="keyword">end</span> <span class="keyword">end</span> <span class="keyword">def </span><span class="method">destroy_cookie</span> <span class="constant">User</span><span class="punct">.</span><span class="ident">clear_key</span><span class="punct">(</span><span class="ident">auth_cookie</span><span class="punct">)</span> <span class="keyword">and</span> <span class="ident">cookies</span><span class="punct">.</span><span class="ident">delete</span><span class="punct">(</span><span class="symbol">:ack</span><span class="punct">)</span> <span class="keyword">end</span> <span class="keyword">def </span><span class="method">load_cookie</span> <span class="keyword">if</span> <span class="ident">cookie_exists?</span> <span class="ident">u</span> <span class="punct">=</span> <span class="constant">User</span><span class="punct">.</span><span class="ident">find_by_key</span><span class="punct">(</span><span class="ident">auth_cookie</span><span class="punct">)</span> <span class="ident">cookies</span><span class="punct">.</span><span class="ident">delete</span><span class="punct">(</span><span class="symbol">:ack</span><span class="punct">)</span> <span class="keyword">unless</span> <span class="ident">u</span> <span class="keyword">end</span> <span class="ident">u</span> <span class="punct">?</span> <span class="ident">u</span> <span class="punct">:</span> <span class="constant">nil</span> <span class="keyword">end</span> <span class="keyword">end</span></code></pre></div> <h3>Permanency (&#8220;Remember Me&#8221;)</h3> <p style="text-align:justify;">The implementation is a trifle. For the User model, add a custom expiry time to create_login_key which is much longer if the user wants to be remembered. Add &#8216;attr_accessor :remember&#8217; and &#8216;def remember?; @remember != &#8220;0&#8221;; end&#8217; to User and add a f.check_box :remember to your login view. Be sure to pass the value of :remember from new users to authenticated users. That&#8217;s all.</p> <h3>Explanation of Authenticated Cookie</h3> <p style="text-align:justify;">Before anyone bulks at this form of authentication, take just a second to think what storing a session ID is doing&#8230; that&#8217;s right. The same bloody thing. So why waste so much memory, <span class="caps">CPU</span>, table space and requests/sec to reprocess whether someone is logged in.</p> <p style="text-align:justify;">I included a rudimentary redirect to show that the cookie is just as good as sessions for redirection. You could extend this concept to flash, preloaded preferences, etc.</p> <p style="text-align:justify;">However, this is not evangilism against sessions. I think they&#8217;re great to have, but they aren&#8217;t the right tool and have been misused, in my opinion, far too much. Cookies offer a tainted store. Tainted information should go in cookies and be considered tainted. Sessions are and should be treated as a secure store. Thing is, if you are following <span class="caps">CRUD</span> design, there&#8217;ll be very little for you to secure and keep untainted which isn&#8217;t validated and in a database.</p> Sat, 29 Jul 2006 04:28:39 -0400 urn:uuid:95c75755-afe9-4d02-9844-a8d245e098e0 Mathew Abonyi http://www.mathewabonyi.com/articles/2006/07/29/authenticated-cookie-safe-fast Rails http://www.mathewabonyi.com/articles/trackback/15