mb450
September 6, 2016, 10:15pm
1
Hi,
I need to destory a session for a given user. (Using sso at the moment) but my users can logout of my main website but I want them to be able logged out of the forum at the same time.
Here’s what I’ve tried (cut down test)
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'https://forum.blah.com/session/admin1?api_key=<blah blah blah>=&api_username=system');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "DELETE");
$response = curl_exec($ch);
var_dump($response);
I get a 302 redirect ever time.
But if I do a delete from postman with the same url it works perfectly…
What am I missing?!
mpalmer
September 6, 2016, 10:32pm
2
Where do you get redirected to, and what do the app logs say about the request?
mb450
September 6, 2016, 10:52pm
3
Hi Matt, thanks for the reply.
I’ve change the domain to forum.blah.uk but here’s the response otherwise unchanged:
HTTP/1.1 302 Found\r\n
Server: nginx\r\n
Date: Tue, 06 Sep 2016 22:45:27 GMT\r\n
Content-Type: text/html; charset=utf-8\r\n
Transfer-Encoding: chunked\r\n
Connection: keep-alive\r\n
X-Frame-Options: SAMEORIGIN\r\n
X-XSS-Protection: 1; mode=block\r\n
X-Content-Type-Options: nosniff\r\n
X-Discourse-Username: system\r\n
X-Discourse-Route: session/destroy\r\n
Location: https://forum.blah.uk/\r\n
Set-Cookie: _forum_session=OERYWXRwYzlOY015T0lsT1ZJTzFKUlgwMnp3U2Uyd21lU1FXM3d5d0pzbXBXbXZUaDhzSG9QUFRUSi9iVlRaamNOS1I0bkExTzNqRzZEcWowVVl6S2c9PS0tbXNwR2p1aVJpZENHcVZ1V2plWmhNQT09--3e85c9bbc1ba07ef0131817b2576c9b4bbdaf1f2; path=/; HttpOnly\r\n
X-Request-Id: 16368f90-e840-4c55-8e66-7a4bb600c5b3\r\n
X-Runtime: 0.048811\r\n
Strict-Transport-Security: max-age=6912000\r\n
X-UA-Compatible: IE=edge\r\n
\r\n
HTTP/1.1 404 Not Found\r\n
Server: nginx\r\n
Date: Tue, 06 Sep 2016 22:45:27 GMT\r\n
Content-Type: text/html; charset=utf-8\r\n
Content-Length: 0\r\n
Connection: keep-alive\r\n
X-Request-Id: cf4a6822-f53d-4360-8250-b0a94bb924de\r\n
X-Runtime: 0.022277\r\n
\r\n
Can’t see anything in the error logs
mpalmer
September 6, 2016, 11:17pm
4
Looking at the code, the redirect is actually expected behaviour… sort of:
def destroy
reset_session
log_off_user
if request.xhr?
render nothing: true
else
redirect_to (params[:return_url] || path("/"))
end
end
If you add an X-Requested-With: XMLHTTPRequest header to your request, that’ll suppress the redirect, and you’ll get an empty-body 200 OK instead.
2 Likes
mb450
September 7, 2016, 9:25am
6
@mpalmer you sir are a legend
2 Likes
