Initially I was using basic http authentication to authenticate a user with devise following this guide:
http://jessehowarth.com/2011/04/27/ajax-login-with-devise
I was successfully able to authenticate a user, but the session remained logged in forever. There was no way to destroy the user's session. In fact, when I added the user_signed_in? method of devise within my create method, it would always return true even when logging out via json. So I came to conclusion that there is no way to end a session using basic http authentication. All you could really do is check if the user is already signed in and send a status code as json back to the client.
So then I tried the authentication token route, which allowed you to create a session with an authentication token and then destroy a session by deleting that authentication token, and the user would have to sign in again in order to access pages that require authentication, as shown in this post:
Devise and Authentication with CURL !
The downside of this is the fact that you have this very long string that you have to enter in for each page that requires authentication, which seems a little undesirable. I wish there was a best of both worlds here, where you can log in and out like you do in a web browser.
Im not sure if everything I am saying is accurate, but it seems in line with this post:
http authentication in devise and rails 3
In that post, he says authentication token is "more secure than http basic authentication since the key can expire". I assume he means that once you are logged in using basic authentication, then that's it, you are logged in forever, whereas authentication token you can expire it and force the user to sign in again. Is this accurate interpretation?
Thanks for response
See Question&Answers more detail:
os 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
