Sol Badguy wrote:
Hello,
I am making an SSO-like system based on the Roundcube connection and would like to check from a Ruby on Rails App that the user is logged in Roundcube. I have tried to make a HTTP GET request from my Rails app and checking for the existance of the login form on the index.php page.
Here's my rails code
require 'net/http' url = URI.parse('http://www.mysite.com/dir1/index.php') req = Net::HTTP::Get.new(url.path) res = Net::HTTP.start(url.host, url.port) {|http| http.request(req) } reg = /<div id="login-form">/ logged = reg.match(res.body) ? false : true
even though a user is connected in Roundcube my get keep returning the login page. Where am I mistaken ? Or does anyone have a better way of doing this ?
Michael Orlitzky wrote:
Two things are wrong.
First, if the user was logged in to Roundcube, it would be his or her computer that was logged in, not your server. So, when your server (Rails) requests the Roundcube page, it gets the login form. Because your server *isn't* logged in to Roundcube -- the user's computer is.
Second, even if you were somehow performing this check on the user's computer, it wouldn't work. There are security measures in place to prevent it. If I'm logged in to Site A (Roundcube), and visit Site B (Rails app), the two should not be able to find out anything about each other. This is a Good Thing.
If you really think this is the right way to do single sign-on -- I don't think it is, but I'm not willing to argue it right now-- then I would suggest storing your PHP sessions in a SQL database. See for example,
and the related functions. Also consider Googling around for "php sql session" and similar.
If,
a) You store the Roundcube session in SQL
b) Your Rails application can access this SQL database and knows what to
look for
then you might be able to determine whether or not a particular user is logged in to Roundcube. Be careful with how you perform the checks, though. You wouldn't want to assume that two users are the same person simply because they have the same IP address
Hello Michael,
Thank you for your answer.
I agree with you this is quite a rough way of doing SSO, it's my first try at it and any cleaner way of doing so would be welcome.
I will follow your suggestion and make Roundcube store the session in my Rails' SQL Database and check if my user is connected without using the IP address.
List info: http://lists.roundcube.net/users/