Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Added a some deployment instructions.
Signed-off-by: Ben Johnson <bjohnson@binarylogic.com>
- Loading branch information
1 parent
424eb0a
commit 495e95e
Showing
1 changed file
with
6 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
495e95e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could some one please elaborate or hint at what could go wrong if one does use cookie sessions? :)
495e95e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Upgrading to the latest version of Passenger (2.0.6) seems to fix the problem, at least for me.
495e95e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am unable to log out, even on 2.0.6. I was under the impression that it had been fixed on Passenger edge, but wasn’t yet in the gem version.
The problem only arose a couple of weeks ago, when using edge rails.
495e95e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See ticket #1601 , it seems that reset_session is not working properly.
495e95e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I do use Passenger with edge Rails and cookies (all cookies not just the cookie sessions) are broken right now due to Rack 1.0 / Passenger 2.0.6 incompatibility (there is a fix in the edge Passenger and will be released with Passenger 2.1).
Authlogic doesn’t use
reset_session
and shouldn’t really care if it works or not.I was planning to go with plain cookie authentication for Authlogic as it is more efficient anyways, but thanks for the heads up.
PS: maybe we should just always reset
persistence_token
inSession#destroy
to avoid all the problems altogether?495e95e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
binarylogic: my bad, I thought logging in resets @persistence_token
anyway.495e95e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This stuff is supposed to be fixed with the upcoming Rails 2.3.1 and Passenger 2.1.1 releases, right? I’m giving it a shot now, in any case :)
495e95e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
trevorturk: Yes.
495e95e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not sure… i’m running rails 2.3.2 and Passenger 2.1.2, and my problem persists; can’t clear auth session, and hence no logout…
495e95e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That’s odd, anthon – it now works for me. Did you update your httpd.conf and run the passenger-install-apache2-module command?
495e95e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed for me with Passenger 2.2.1 and Rails 2.3.2
495e95e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Worked for me on Passenger 2.2.2 (note: do passenger-install-apache2-module and update your httpd.conf) and Rails 2.3.2
495e95e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have this same logout problem when using Cucumber to run tests (where in a single scenario I go from being logged in to logging out). But, I've also seen this problem with Passenger 2.2.2 and Rails 2.3.2.
495e95e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tried changing to an ActiveRecord session store and that did not fix it.
495e95e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My bad (issue with our logout), I have it working with cookie store now, with Passenger 2.2.2 or Mongrel, and Rails 2.3.2.
495e95e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Still broken for me on Rails 2.3.4 and Passenger 2.2.5. Probably going to switch to some other session store.
495e95e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not working for me at spokt.com: Rails 2.3.4 and Passenger 2.2.5. I'll try the ActiveRecord Session store.
495e95e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We experienced the same issue with Mongrel, Rails 2.3.4 and a Redis-based session store. We are using per-account subdomains which adds confusion to the cookie issues. In our case, logout did not work for IE. Firefox was ok though.
I believe that the problem is with the headers returned to the client on logout. It seems that IE7 keeps a session cookie around after logout that authlogic does not intend for it to keep. This cookie has the authlogic persistence token which matches to the users table (not user sessions) causing the client to automatically re-login after logout.
To determine the source of the problem, we temporarily switched to activerecord based sessions. By looking in the database, could see that the server-side correctly logged out the client in the session store. But even though the data was removed from the server's session store, the client would be logged back in automatically on the next page view after the logout action. Therefore it had to be caused by cookies stored in the browser.
At first, clearing cookies in IE7 did not seem to log the user out. But then we found that IE7 does not actually clear session cookies when you tell it to using the options menu. Only when we used the developer toolbar for IE7 could we actually remove the cookies and then the client would not automatically re-login. This IE7 bug is besides the point, the point is that the source of the problem is that the browser keeps the authlogic persistence token around after logout.
SOOOOO, we ended up clearing the authlogic persistence token in our users table on logout. Even though this has the downside mentioned by binarylogic it is the only way to be sure of logout without diving into complicated debugging of browser-specific session cookie peculiarities.
Hope this helps someone out there.
495e95e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
BTW, I don't like using ActiveRecord store because it puts load on the db for session-related work. There are two downsides: #1 extra db reads and writes for every page view #2 stale sessions building up in the db which need to be purged periodically. Neither of these is a big deal but they build up when you get high traffic.
Typically, memcache is a better match for session storage since sessions are transient. But if your site wants sessions to last for weeks and weeks then persistent db storage might be a better match.
495e95e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It may be related to Rails sending no "Cache-Control: private" on redirect_to but still sends the Set-Cookie header which in turn MAY become cachable. Besides this being a security problem, it becomes especially problematic with
:cookie_store
because that carries the complete session data instead of only some hash which points to session data. Overwritingredirect_to_full_url
to sendheaders["Cache-Control"] = "private"
fixed most of the issues I observed with any auth mechanism.495e95e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FYI: I had issues with AuthLogic not logging out when I had Safari in Private Browsing mode..
495e95e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I noticed a similar issue when running integration tests against a Rails 2.3.8 app using Authlogic. In my case, I am using Cucumber & Webrat to test the app's API which authenticates via basic authentication. I noticed that the first request would run fine, but all subsequent requests would error out in the middleware stack. Turns out it was coming from the CookieStore; switching to the AR SessionStore fixed the problem.