Sol Badguy wrote:
>> Hello,
>>
>> I am making an SSO-like system based on the Roundcube connection and
>> would like to check from a Ruby on Rails App that the user is logged in
>> Roundcube. I have tried to make a HTTP GET request from my Rails app and
>> checking for the existance of the login form on the index.php page.
>>
>> Here's my rails code
>>
>> require 'net/http'
>>
>> url = URI.parse('
http://www.mysite.com/dir1/index.php')
>> req =
Net::HTTP::Get.new(url.path)
>>
res = Net::HTTP.start(url.host, url.port) {|http|
>> http.request(req)
>> }
>>
>> reg = /<div id="login-form">/
>> logged = reg.match(res.body) ? false : true
>>
>> even though a user is connected in Roundcube my get keep returning the
>> login page.
>> Where am I mistaken ? Or does anyone have a better way of doing this ?
Michael Orlitzky wrote:
> Two things are wrong.
> First, if the user was logged in to Roundcube, it would be his or her
> computer that was logged in, not your server. So, when your server
> (Rails) requests the Roundcube page, it gets the login form. Because
> your server
*isn't* logged in to Roundcube -- the user's computer is.
> Second, even if you were somehow performing this check on the user's
> computer, it wouldn't work. There are
security measures in place to
> prevent it. If I'm logged in to Site A (Roundcube), and visit Site B
> (Rails app), the two should not be able to find out anything about each
> other. This is a Good Thing.
> If you really think this is the right way to do single sign-on -- I
> don't think it is, but I'm not willing to argue it right now-- then I
> would suggest storing your PHP sessions in a SQL database. See for example,
>
http://us.php.net/session_set_save_handler> and the related functions. Also consider Googling around for "php sql
> session" and similar.
> If,
> a) You store the Roundcube session in SQL
> b) Your Rails application can access this SQL database and knows what to
look for
> then you might be able to determine whether or
not a particular user is
> logged in to Roundcube. Be careful with how you
perform the checks,
> though. You wouldn't want to assume that two users are the same person
> simply because they have the same IP address
Hello Michael,
Thank you for your answer.
I agree with
you this is quite a rough way of doing SSO, it's my first try at it and
any cleaner way of doing so would be welcome.
I will follow
your suggestion and make Roundcube store the session in my Rails' SQL
Database and check if my user is connected without using the IP address.