Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
991 views
in Technique[技术] by (71.8m points)

json - Rails 3 - basic http authentication vs authentication token with iphone

Initially I was using basic http authentication to authenticate a user with devise following this guide:

http://jessehowarth.com/2011/04/27/ajax-login-with-devise

I was successfully able to authenticate a user, but the session remained logged in forever. There was no way to destroy the user's session. In fact, when I added the user_signed_in? method of devise within my create method, it would always return true even when logging out via json. So I came to conclusion that there is no way to end a session using basic http authentication. All you could really do is check if the user is already signed in and send a status code as json back to the client.

So then I tried the authentication token route, which allowed you to create a session with an authentication token and then destroy a session by deleting that authentication token, and the user would have to sign in again in order to access pages that require authentication, as shown in this post:

Devise and Authentication with CURL !

The downside of this is the fact that you have this very long string that you have to enter in for each page that requires authentication, which seems a little undesirable. I wish there was a best of both worlds here, where you can log in and out like you do in a web browser.

Im not sure if everything I am saying is accurate, but it seems in line with this post:

http authentication in devise and rails 3

In that post, he says authentication token is "more secure than http basic authentication since the key can expire". I assume he means that once you are logged in using basic authentication, then that's it, you are logged in forever, whereas authentication token you can expire it and force the user to sign in again. Is this accurate interpretation?

Thanks for response

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

The way that HTTP authentication works, once a browser is logged in (i.e. is sending WWW-Authenticate headers), it will stay logged in until its HTTP authentication cache is expired (usually when you exit the browser).

Since browsers continue to send valid credentials in HTTP authentication (there is no "HTTP logout"), that's why you're seeing the user still logged in.

My recommendation is to use the authentication_token functionality in Devise and pass ?auth_token to your APIs. Keep in mind that you have to pass them as part of the URL even if it is a POST/DELETE/PUT/etc. (this is a Devise bug that may be fixed by now).


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...