• Web

Login and Logout

From the class:  Session Cookies

I'd like to implement a simple log in and log out so that you get an intuitive sense of how that works with session. We're not going to actually plug into a database or do some of the extra things that you would do with an application framework, but it should be enough to show you the key parts of what's happening so that you have a good mental model for it. So I've added a couple things off camera.

Here's our normal sort of janky router where I look at the request method and the URL in a big switch statement. We'll call whichever block is appropriate for what's being requested from the client. And I've added three routes, one for the route, and then one for log in and one for log out. And I'm going to make them all GET requests so that we can do it easily from the browser without submitting any forms.

Let's clean up the top part of the function a little bit. Instead of ending, I'll let the case statements decide what to do. And I'll get rid of the unnecessary stuff here. And we'll call set session right before we end the response for each one of these.

Inside of the log in action, what we would normally do is give a user name and password from the browser. So the user might submit a form that has their user name and password. We'll go to the database and see whether or not that user name and password is correct.

So we might say here check with DB if user name and password is correct. And if it is, we're going to mark the current session as being authenticated. Now, for the sake of this video, we're just going to assume that that part succeeded. And we're just going to focus on the cookie and session part of this.

So to set the user logged in part of this session, we can just say request.session. And I'll set the logged in. Maybe we'll set the user ID. We could say the user ID is equal to-- I'll just hard code it to 1. And we could also say that the session is logged in, or logged in as equal to true.

So whatever set of things that you want to put onto the session object is fine. But this is going to indicate to the server that we have a user, and the user ID is whatever we get back from this process, and that the current session is logged in. And that's really all we're doing with authentication is we're adding some information to the current user session to indicate that they're authenticated. And then the cookie that they send up with every subsequent request serves like an authentication ticket.

Let's log out to the console of the session value so that we can see that. And then I want to add a little bit of a new functionality that we haven't seen before, which is to reset the session. We're going to use that for both logging out, where we want to just get rid of any previous session that existed, and we're also going to do it as a security precaution when you log in.

So it's a good idea to start with a fresh session. That way, if an old session gets left around someone else can't use it to authenticate to the system. So up top here, let's create another method called reset session.

And what reset session is going to do is the same as line 49 and GET session. It's just going to set the session value to a new object with a new ID. And so we can actually replace this ELSE statement here with reset session and pass the request. Then down below, I'll call reset session with a request.

And we'll do the same thing for log out. So log out is going to just reset the session. It's going to set it to a brand new ID, brand new empty object, and get rid of these two properties of the session that we had set previously during the log in process.

One quick fix. You might have noticed watching, but I missed it somehow. We'll fix this to have two S's. So it's reset session. I needed to name that function correctly.

Let's try it out in the browser. I'll start off by clearing the previous cookies so we don't end up with any kind of errors here. And if I refresh, the log over on the right shows that initial request to the root URL. And we get an ID immediately.

And that ID on the subsequent request gets passed up. So we have our session. And now what I want to do is navigate to the log in page.

So it's going to be under the log in URL. And normally this would take us to an actual log in form. But because we designed this very simply, when I press Enter it's just going to make a GET request to the server which will log us in automatically.

Now, notice what has happened. Here is the request of the log in. And at this point, we're not logged in yet. But then when the browser automatically tries to get the favicon, which is the next request-- and this just happens automatically because Chrome is trying to be smart to grab the favicon that goes up here. And on that subsequent request, we are logged in.

So look at this object. This is what the session object is at this point. We got a new ID. Notice it's different from this one. And we have now a user ID and the logged in is set to true.

Now, the great thing is if I go to any other page on this site-- say just local host, go to the root URL. And I can refresh this as many times as I want. It's a little hard to see. But the log is refreshing on the right. And I remain in a logged in state.

So notice the ID of the session stays the same. And the user ID stays the same. And so does the logged in property. So this cookie that the browser is sending up, the app session value here, serves as our ticket, our authentication ticket. And when the server gets that, it can tell that this user has been authenticated successfully based on these attributes that are attached to the session object.

Now let's visit the log out URL. The log out action. All the log out action does, if you recall, is resets the session. Notice now our session ID is changed. So it's now 4855 instead of this 3957. And it's also set the session object to a new object.

So we've gotten rid of the user ID and logged in. And now as far as the server is concerned, every time this cookie gets sent up to the server, since there's no user ID and no logged in property, the user is, in effect, logged out. And giving it a brand new ID is another kind of security mechanism to make sure that the old ID is no longer valid at all.

So if you're working at a coffee shop or something, that cookie just becomes a completely unauthenticated cookie. And it's not even valid anymore. So we completely reset the session.