Sol Badguy wrote:
>> Hello,
>>
>> I am making an SSO-like system based on the Roundcube connection and
>> would like to check from a Ruby on Rails App that the user is logged in
>> Roundcube. I have tried to make a HTTP GET request from my Rails app and
>> checking for the existance of the login form on the index.php page.
>>
>> Here's my rails code
>>
>>        require 'net/http'   
>>           
>>        url = URI.parse('http://www.mysite.com/dir1/index.php')
>>        req = Net::HTTP::Get.new(url.path)
>>        res = Net::HTTP.start(url.host, url.port) {|http|
>>                http.request(req)
>>        }
>>
>>        reg = /<div id="login-form">/
>>        logged = reg.match(res.body) ? false : true
>>
>> even though a user is connected in Roundcube my get keep returning the
>> login page.
>> Where am I mistaken ? Or does anyone have a better way of doing this ?

Michael Orlitzky wrote:
> Two things are wrong.

> First, if the user was logged in to Roundcube, it would be his or her
> computer that was logged in, not your server. So, when your server
> (Rails) requests the Roundcube page, it gets the login form. Because
> your server *isn't* logged in to Roundcube -- the user's computer is.

> Second, even if you were somehow performing this check on the user's
> computer, it wouldn't work. There are security measures in place to
> prevent it. If I'm logged in to Site A (Roundcube), and visit Site B
> (Rails app), the two should not be able to find out anything about each
> other. This is a Good Thing.

> If you really think this is the right way to do single sign-on -- I
> don't think it is, but I'm not willing to argue it right now-- then I
> would suggest storing your PHP sessions in a SQL database. See for example,

> http://us.php.net/session_set_save_handler

> and the related functions. Also consider Googling around for "php sql
> session" and similar.

> If,

> a) You store the Roundcube session in SQL

> b) Your Rails application can access this SQL database and knows what to
    look for

> then you might be able to determine whether or not a particular user is
> logged in to Roundcube. Be careful with how you perform the checks,
> though. You wouldn't want to assume that two users are the same person
> simply because they have the same IP address

Hello Michael,

Thank you for your answer.

I agree with you this is quite a rough way of doing SSO, it's my first try at it and any cleaner way of doing so would be welcome.

I will follow your suggestion and make Roundcube store the session in my Rails' SQL Database and check if my user is connected without using the IP address.