Re: [RCU] How to know that a user is connected to Roundcube from a Rails app ?

Fri, 08 May 2009 11:48:17 -0700 

Sol Badguy wrote:
> Hello,
> 
> I am making an SSO-like system based on the Roundcube connection and 
> would like to check from a Ruby on Rails App that the user is logged in 
> Roundcube. I have tried to make a HTTP GET request from my Rails app and 
> checking for the existance of the login form on the index.php page.
> 
> Here's my rails code
> 
>         require 'net/http'     
>            
>         url = URI.parse('http://www.mysite.com/dir1/index.php')
>         req = Net::HTTP::Get.new(url.path)
>         res = Net::HTTP.start(url.host, url.port) {|http|
>                 http.request(req)
>         }
> 
>         reg = /<div id="login-form">/
>         logged = reg.match(res.body) ? false : true
> 
> even though a user is connected in Roundcube my get keep returning the 
> login page.
> Where am I mistaken ? Or does anyone have a better way of doing this ?

Two things are wrong.

First, if the user was logged in to Roundcube, it would be his or her 
computer that was logged in, not your server. So, when your server 
(Rails) requests the Roundcube page, it gets the login form. Because 
your server *isn't* logged in to Roundcube -- the user's computer is.

Second, even if you were somehow performing this check on the user's 
computer, it wouldn't work. There are security measures in place to 
prevent it. If I'm logged in to Site A (Roundcube), and visit Site B 
(Rails app), the two should not be able to find out anything about each 
other. This is a Good Thing.

If you really think this is the right way to do single sign-on -- I 
don't think it is, but I'm not willing to argue it right now-- then I 
would suggest storing your PHP sessions in a SQL database. See for example,

http://us.php.net/session_set_save_handler

and the related functions. Also consider Googling around for "php sql 
session" and similar.

If,

a) You store the Roundcube session in SQL

b) Your Rails application can access this SQL database and knows what to
    look for

then you might be able to determine whether or not a particular user is 
logged in to Roundcube. Be careful with how you perform the checks, 
though. You wouldn't want to assume that two users are the same person 
simply because they have the same IP address.

_______________________________________________
List info: http://lists.roundcube.net/users/

Reply via email to