We've covered how cookies can be used to store data in a user's browser.
One of the most common uses of cookies is for login. In this lesson, we'll cover how to use the Rails session to log users in.
- Describe where session data is stored.
- Create a
Sessionscontroller in Rails. - Log a user in with it.
Nearly every website in the world uses what I am going to call the "wristband" pattern. A lot of nightclubs use this pattern as well.
You arrive at the club. The bouncer checks your ID. They put a wristband on your wrist (or stamp your hand). They let you into the club.
If you leave and come back, the bouncer doesn't look at your ID, they just look for your wristband. If you buy a drink, the bartender doesn't need to see your ID, since your wristband proves you're old enough to buy alcohol.
You arrive at gmail.com. You submit your username and password. Google's servers check to see if your credentials are correct. If they are, Google's servers issue a cookie to your browser. If you visit another page on gmail, or anywhere on google.com for that matter, your browser will show the cookie to the server. The server verifies this cookie, and lets you load your inbox.
Let's look at what the simplest possible login system might look like in Rails.
The flow will look like this:
- The user GETs
/login - The user enters their username. There is no password.
- The user submits the form, POSTing to
/login. - In the create action of the
SessionsControllerwe set a cookie on the user's browser by writing their username into the session hash. - Thereafter, the user is logged in.
session[:username]will hold their username.
Let's write a SessionsController to handle these routes. This controller has two actions, new and create, which we'll map in routes.rb to get and post on /login. They will look like the below syntax:
get “/login”, to: “sessions#new”post “/login”, to: “sessions#create”Typically, your create method would look up a user in the database, verify their login credentials, and then store the authenticated user's id in the session.
We're not going to do any of that right now. Our sessions controller is just going to trust that you are who you say you are.
class SessionsController < ApplicationController
def new
# nothing to do here!
end
def create
session[:username] = params[:username]
redirect_to '/'
end
endThere's no way for the server to log you out right now. To log yourself out, you'll have to delete the cookie from your browser.
We'll make a very small login form for new.html.erb,
<form method='post'>
<input name='username'>
<input type='submit' value='login'>
</form>Ordinarily, we would use form_for @user, but in this example, we don't have a user model at all!
When the user submits the form, they'll be logged in!
The log out flow is even simpler. We add a SessionsController#destroy method, which will clear the username out of the session.
def destroy
session.delete :username
endThe most common way to route this action is to post '/logout'. This means that our logout link will actually be a submit button that we style to look like a link.
It's tempting, but don't attach this to a get route. HTTP specifies that get routes don't change anything—logging out is definitely changing something. You don't actually want someone to be able to put a link to http://www.yoursite.com/logout in an email or message board post. It's not a security flaw, but it's pretty annoying to be logged out because of mailing list hijinks.
At its base, login is very simple: the user provides you with credentials in a POST, you verify those credentials and set a token in the session. In this example, our token was literally the username the user typed. In a more complex app, it would most likely be their user id.
View Sessions Controller on Learn.co and start learning to code for free.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent