I am writing authentication for a Phoenix Elixir app. I have a Plug in my Browser Pipeline that checks for the user_id in the session. If it exists I add the User to the conn:
router.ex
pipeline :browser do
plug :accepts, ["html"]
plug :fetch_session
plug :fetch_flash
plug :protect_from_forgery
plug :put_secure_browser_headers
plug AccountMgr.Plugs.CheckSessionForUser
end
check_for_user_on_session.ex
def call(conn, _opts) do
user_id = get_session(conn, :user_id)
cond do
user = user_id && Repo.get(User, user_id) ->
assign(conn, :current_user, user)
true ->
assign(conn, :current_user, nil)
end
end
In my Login function I add the user_id to the session if the credentials are correct:
cond do
user && checkpw(password, user.password_hash) ->
conn
|> assign(:user, user)
|> put_session(:user_id, user.id)
|> configure_session(renew: true)
|> redirect(to: portfolio_path(conn, :index))
user ->
{:error, :unauthorised, conn}
true ->
dummy_checkpw()
{:error, :not_found, conn}
end
In my Logout function I am calling configure_session (conn, drop: true)
.
def logout(conn, _params) do
configure_session(conn, drop: true)
redirect(conn, to: authentication_path(conn, :index))
end
I am using IO.puts
to show the user_id
on the session before and after I call the configure_session
function and the user_id
is still present.
I am also logging the user_id in the check_for_user_on_session.ex Plug and it also shows the user_id present when it is called after the redirect from the logout function.
I am not sure what I am missing but I am expecting that the session cookie would be destroyed after the logout function and a new one created for the next page load through the router and Browser Pipeline
Thanks in advance
IO.puts
to show theuser_id
, I think you need to check it with next request, not the present one – David Whitlock