logout & deleting cookies

The logout strategy on page 172 of AWDWR doesn't seem to do anything.

I ended up creating the same thing on my own, then looked up how they did it in the book.

I would expect it to update the session record to clear out the data column, and I would expect it to delete the cookie from the browser.

It does neither.

My logout button goes to a logout page, then redirects the login page so that the cookie should be deleted. I know I have gotten that to work in my other (non-Rails) apps.

Am I missing something?

-- gw

try something like this def log_out   reset_session   redirect_to('where_ever_you_want') end

this will reset the whole session.

Have you looked at acts_as_authenticated plugin? You get most of the
functionality you are wanting for free, and extending it is really easy.

-Bill

Ah didn't see that one. Perfect. Thanks.

-- gw

I had a quick look. I chose to port a user management system I've developed through experience with intranet apps used in corp/gov/edu systems. I evolved it over several years. I work with some fairly complex rules systems governing what parts of a program (down to single buttons) and what data (down to specific fields) that people can access.

Role based systems are far too inflexible for real-world, multi-organization, work-group use, so I've built up a system which combines the capabilities of roles, groups, ACL-like privileges, and data access filters. The filters are used to modify core application queries to apply additional WHERE clause constraints. The system also includes modular user profiles so it can manage multiple types of users (like teachers, parents, students) with a clean schema. The ACL list rules are defined by a very simple config which can be changed at any time and the UI adapts on the next page load.

It also has all the usual password management rules you find in corp/gov so I can: - expire a password after X days - start prompting the user to update a pswd within X days of expiration - maintain a password history so pswds can't be the same as the last X ones used - require that pswds be made of up X types of chars or be Y long to be considred a passphrase - lock an account for X minutes if pswd entered Y times incorrectly

There's other attributes to the system as well. There's more info on my current Lasso implementation here:

http://www.pageblocks.org/ftrs/api_auth

There's a good chance I'll share it when I get the port complete.

-- greg willits