Destroying a users session via api


(Matt) #1

Hi,

I need to destory a session for a given user. (Using sso at the moment) but my users can logout of my main website but I want them to be able logged out of the forum at the same time.

Here’s what I’ve tried (cut down test)

   $ch = curl_init();
            curl_setopt($ch, CURLOPT_URL, 'https://forum.blah.com/session/admin1?api_key=<blah blah blah>=&api_username=system');
            curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
            curl_setopt($ch, CURLOPT_HEADER, 1);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
            curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "DELETE");
            $response = curl_exec($ch);
            var_dump($response);

I get a 302 redirect ever time.

But if I do a delete from postman with the same url it works perfectly…

What am I missing?!


(Matt Palmer) #2

Where do you get redirected to, and what do the app logs say about the request?


(Matt) #3

Hi Matt, thanks for the reply.

I’ve change the domain to forum.blah.uk but here’s the response otherwise unchanged:

HTTP/1.1 302 Found\r\n

Server: nginx\r\n
Date: Tue, 06 Sep 2016 22:45:27 GMT\r\n
Content-Type: text/html; charset=utf-8\r\n
Transfer-Encoding: chunked\r\n
Connection: keep-alive\r\n
X-Frame-Options: SAMEORIGIN\r\n
X-XSS-Protection: 1; mode=block\r\n
X-Content-Type-Options: nosniff\r\n
X-Discourse-Username: system\r\n
X-Discourse-Route: session/destroy\r\n
Location: https://forum.blah.uk/\r\n
Set-Cookie: _forum_session=OERYWXRwYzlOY015T0lsT1ZJTzFKUlgwMnp3U2Uyd21lU1FXM3d5d0pzbXBXbXZUaDhzSG9QUFRUSi9iVlRaamNOS1I0bkExTzNqRzZEcWowVVl6S2c9PS0tbXNwR2p1aVJpZENHcVZ1V2plWmhNQT09--3e85c9bbc1ba07ef0131817b2576c9b4bbdaf1f2; path=/; HttpOnly\r\n
X-Request-Id: 16368f90-e840-4c55-8e66-7a4bb600c5b3\r\n
X-Runtime: 0.048811\r\n
Strict-Transport-Security: max-age=6912000\r\n
X-UA-Compatible: IE=edge\r\n
\r\n
HTTP/1.1 404 Not Found\r\n
Server: nginx\r\n
Date: Tue, 06 Sep 2016 22:45:27 GMT\r\n
Content-Type: text/html; charset=utf-8\r\n
Content-Length: 0\r\n
Connection: keep-alive\r\n
X-Request-Id: cf4a6822-f53d-4360-8250-b0a94bb924de\r\n
X-Runtime: 0.022277\r\n
\r\n

Can’t see anything in the error logs :persevere:


(Matt Palmer) #4

Looking at the code, the redirect is actually expected behaviour… sort of:

def destroy
  reset_session
  log_off_user
  if request.xhr?
    render nothing: true
  else
    redirect_to (params[:return_url] || path("/"))
  end
end

If you add an X-Requested-With: XMLHTTPRequest header to your request, that’ll suppress the redirect, and you’ll get an empty-body 200 OK instead.


(Matt) #5

Cool I’ll give it a go.

Thanks


(Matt) #6

@mpalmer you sir are a legend