[RCU] How to know that a user is connected to Roundcube from a Rails app ?

Sol Badguy kazenocoe at yahoo.fr
Mon May 11 12:47:39 CEST 2009


Sol Badguy wrote:
>> Hello,
>> 
>> I am making an SSO-like system based on the Roundcube connection and 
>> would like to check from a Ruby on Rails App that the user is logged in 
>> Roundcube. I have tried to make a HTTP GET request from my Rails app and 
>> checking for the existance of the login form on the index.php page.
>> 
>> Here's my rails code
>> 
>>         require 'net/http'    
>>            
>>         url = URI.parse('http://www.mysite.com/dir1/index.php')
>>         req = Net::HTTP::Get.new(url.path)
>>        res = Net::HTTP.start(url.host, url.port) {|http|
>>                 http.request(req)
>>         }
>> 
>>         reg = /<div id="login-form">/
>>         logged = reg.match(res.body) ? false : true
>> 
>> even though a user is connected in Roundcube my get keep returning the 
>> login page.
>> Where am I mistaken ? Or does anyone have a better way of doing this ?

Michael Orlitzky wrote:
> Two things are wrong.

> First, if the user was logged in to Roundcube, it would be his or her 
> computer that was logged in, not your server. So, when your server 
> (Rails) requests the Roundcube page, it gets the login form. Because 
> your server *isn't* logged in to Roundcube -- the user's computer is.

> Second, even if you were somehow performing this check on the user's 
> computer, it wouldn't work. There are security measures in place to 
> prevent it. If I'm logged in to Site A (Roundcube), and visit Site B 
> (Rails app), the two should not be able to find out anything about each 
> other. This is a Good Thing.

> If you really think this is the right way to do single sign-on -- I 
> don't think it is, but I'm not willing to argue it right now-- then I 
> would suggest storing your PHP sessions in a SQL database. See for example,

> http://us.php.net/session_set_save_handler

> and the related functions. Also consider Googling around for "php sql 
> session" and similar.

> If,

> a) You store the Roundcube session in SQL

> b) Your Rails application can access this SQL database and knows what to
    look for

> then you might be able to determine whether or not a particular user is 
> logged in to Roundcube. Be careful with how you perform the checks, 
> though. You wouldn't want to assume that two users are the same person 
> simply because they have the same IP address

Hello Michael, 

Thank you for your answer. 

I agree with
you this is quite a rough way of doing SSO, it's my first try at it and
any cleaner way of doing so would be welcome. 

I will follow
your suggestion and make Roundcube store the session in my Rails' SQL
Database and check if my user is connected without using the IP address.



      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.roundcube.net/pipermail/users/attachments/20090511/b05db24a/attachment-0001.html>
-------------- next part --------------
_______________________________________________
List info: http://lists.roundcube.net/users/


More information about the users mailing list