fluentd-ui/app/controllers/sessions_controller.rb

class SessionsController < ApplicationController
  layout "sign_in"
  skip_before_action :login_required, only: [:new, :create]
  before_action :set_user

  def create
    unless @user.authenticate(session_params[:password])
      flash.now[:notice] = I18n.t("messages.login_failed")
      return render :new
    end
    sign_in @user
    if session_params[:password] == Settings.default_password
      flash[:warning] = t('terms.changeme_password')
    end
    redirect_to root_path
  end

  def destroy
    session.delete :user_name
    session.delete :password
    redirect_to new_sessions_path
  end

  private

  def set_user
    @user = User.new(name: (params[:session] || {})[:name])
  end

  def session_params
    params.require(:session).permit(:name, :password)
  end

  def sign_in(user)
    # NOTE: Cookie will encrypt by Rails, but store raw password into session is a bad practice.
    #       If we use some DB in the future, change this to store token with expire limitation (not password).
    #
    #       Currently, only store to session if default password is used.
    # TODO: How to keep a login session to be decide
    session[:user_name] = user.name
    session[:password]  = session_params[:password]
  end
end