ruby on rails 3 - OmniAuth - current session not loaded on OpenID callback -


i'm using omniauth rails 3.1.4 , i'm trying allow authenticated users associate multiple openid providers account.

as unauthenticated user, signing in openid works fine. authenticated user, when try sign in different oid provider, when callback method executed, looks wasn't authenticated.

to me looks controller gets executed before sessions initialised (or sessions skipped).

what be?

confirming andrei serdeliuc's solution, disabling protect_from_forgery worked me (ruby 1.8.7, rails 2.3.11, omniauth 0.1.6)

in callbackcontroller (authenticationscontroller in famous screencast) adding skip_before_filter :verify_authenticity_token or protect_from_forgery :except => :create @ top of controller work !

as way csrf (cross-site request forgery) should verify identity of openid server, don't forget setup certificate verification (in initializer):

# first of ca-bundle.crt file (eg : open-source browser package) require "openid/fetchers" openid.fetcher.ca_file = "#{rails.root}/config/ca-bundle.crt""

it prevent warnings :

warning: making https request https://www.google.com/accounts/o8/id  without verifying server certificate; no ca path specified.

now sessions not reseted anymore, , can add several openid authentication curren_user.

cheers


Comments

Post a Comment

Popular posts from this blog

apache - Add omitted ? to URLs -

i working on website cms reads page name of query string, e.g. http://exmaple.com/?pagename . trying create rewrite rule rewrite ? . so, user types in /pagename , taken /?pagename try this: rewriteengine on rewritecond %{request_filename} !-d rewritecond %{request_filename} !-f rewriterule ^/?(.*) index.php?$1 [l]
Read more

redirect - bbPress Forum - rewrite to wwww.mysite prohibits login -

i using bbpress installation without wordpress integration. the redirect of rewriteengine @ forum site works: rewriteengine on rewritecond %{http_host} ^forum.mysite.com$ rewriterule (.*)$ http://www.forum.mysite.com/$1 [r=301,l] the problem login pppress. bbpress login not recognize: http://www.forum.mysite/bb-login.php . it redirects to: http://forum.mysite.com/bb-login.php . i tried permalink settings none , name based, same issue. does uses redirect in bbpress or how can eliminate "double" content , redirect permanently www.? i redirected www.forum.mysite.com forum.mysite.com , achieved eliminate "double" content.
Read more

php - How can I stop spam on my custom forum/blog? -

so have custom built forum & blog system of late has been dealing lot of spam. if wordpress use akismet, if different common platform i'm sure i'd find plugin. there kind of static class can download this? using php. i'd still go akismet, if it. uses outside of wordpress, may have pay fee it, depending on use -- check terms , conditions -- it's option , easy implement in php using api. use api key wordpress. com account access. basically, grab whichever php client library takes fancy -- use alex potsides' php5 library -- plug in key, , it's handful of lines of code. here's bare bones of validation straight 1 of live sites: ... if ($akismet) { $akismet->setcommentauthor($name); $akismet->setcommentauthoremail($session->userinfo["email"]); $akismet->setcommentauthorurl(""); $akismet->setcommentcontent($sentence);...
Read more