Unable to retrieve session value in View

Question

I am unable to fetch session value I am storing in Controller Level. Code below:

Login File

<div class="login">
  <h1>Login to HITS</h1>
  <div><%= flash[:notice] %></div>
  <div><%= session[:userinfo] %></div>
  <form method="post" action="isloggedin">
    <p><input id="login" type="text" name="login" value="" placeholder="Username or Email"></p>
    <p><input id="password" type="password" name="password" value="" placeholder="Password"></p>
    <p class="submit"><input type="submit" name="commit" value="Login"></p>
  </form>
</div>

Controller File

class UserController < ApplicationController
  protect_from_forgery
    def isloggedin
        login = params[:login].to_s
        password = params[:password].to_s
        logged_in = User.where(:user_name => login,:password => password).limit(1)
        if not logged_in.blank?
          #session[:userinfo] = logged_in
          session[:userinfo] = 'Name'
          puts(session[:userinfo])
          redirect_to '/event/list'
        else
          #render :json => { :status => :fail}
          #flash[:error] = 'Unable to login'
          redirect_to '/user/login',:flash => { :error => "Insufficient rights!" }
        end

      end
end

In Both View and Controller I did following:

@picture = session[:userinfo] #at Controller Level
<%= @picture %>

It prints Nothing.

I am on Rails4 session.store.rb

Rails.application.config.session_store :cookie_store, key: '_APP_session'

I can see sessional cookie is being created.

Update: Console gives following message:

Processing by UserController#isloggedin as HTML
  Parameters: {"login"=>"Jhon", "password"=>"[FILTERED]", "commit"=>"Login"}
Can't verify CSRF token authenticity

Update#2

In my Login form I can't see something like given below. How do I manually add it?

<div style="display:none"><input name="utf8" type="hidden" value="&#x2713;" /><input name="authenticity_token" type="hidden" value="a4y1SDHaXHRkiyIW8AncOYcPgRiO5syFXihKc5qqZlg=" /></div>

`puts(session[:userinfo])` should print to server terminal log, are you sure nothing shows!! — Nimir, Oct 29 '14 at 10:59
you are redirecting to ``/events/list``. try using ``<%= session[:userinfo] %>`` instead of ``<%= @picture %>`` — rejin, Oct 29 '14 at 11:23
are you sure you are adding @picture in the list method on event controller? — rejin, Oct 29 '14 at 11:33
@Nimir It is showing if I print in same method but not in other controller — Volatil3, Oct 29 '14 at 12:11
here are some possibilities http://stackoverflow.com/questions/18422182/rails-sessions-not-saving --- specially CSRF token — Nimir, Oct 29 '14 at 12:18
@Nimir but I am using `protect from forgery` what else am I missing? — Volatil3, Oct 29 '14 at 12:27

score 1 · Accepted Answer · answered Oct 29 '14 at 12:28

1

Since you are getting a warning "can't verify CSRF Token" in log then probably session is been reset with every request

Adding to your layout (application_layout head tag):

<%= csrf_meta_tags %>

Should clear the warning and solve session issue!

answered Oct 29 '14 at 12:28

Nimir

5,727
1
26
34

It is also in `` section of layouts\application.html.erb – Volatil3 Oct 29 '14 at 12:31
I can see following in Head: '` `` – Volatil3 Oct 29 '14 at 12:33
I added `` and it worked like charm. I adding your answer since it gave the hint – Volatil3 Oct 29 '14 at 12:50

BroiSatse · Answer 2 · 2014-10-29T12:51:04.887

logged_in = User.where(:user_name => login,:password => password).limit(1)
if not logged_in.blank?

The if statement is always falsy. logged_in is ActiveRecord::Relation object which is never blank. Change it to:

if User.find_by(user_name: login, password: password)

Other bits:

Never,ever,ever,ever store plain passwords in your database! This is a serious security breach - imagine the backup of your database got into hacker hands. With hashed passwords hacker got all your data, but is not able to log in as another user. Use has_secure_password feature to handle password hashing.

After question edit:

Do not build your views by hand, use form helpers - they will make your life easier:

<div class="login">
  <h1>Login to HITS</h1>
  <div><%= flash[:notice] %></div>
  <div><%= session[:userinfo] %></div>
  <%= form_tag action: 'isloggedin' do %>
    <p><%= text_field_tag :login, nil, placeholder: 'Username or Email'></p>
    <p><%= password_field_tag :password, nil, placeholder: 'Password'%></p>
    <p class="submit"><%= submit_tag :commit, 'Login'></p>
  <% end %>
</div>

form_tag and form_for will automatically add CRSF hidden field to the form.

Thanks. But I am not being able to get session variable even in blank method — Volatil3, Oct 29 '14 at 12:10
No. My issue is not getting data from Db but from session variable. Even setting out of `if` condition I can not get it back in other controller — Volatil3, Oct 29 '14 at 12:19

Unable to retrieve session value in View

2 Answers2

Other bits:

After question edit: