Skip to content

Commit

Permalink
Added a some deployment instructions.
Browse files Browse the repository at this point in the history 
Signed-off-by: Ben Johnson <bjohnson@binarylogic.com>
  • Loading branch information
@ariejan @binarylogic
ariejan authored and binarylogic committed Feb 27, 2009
1 parent 424eb0a commit 495e95e
Showing 1 changed file with 6 additions and 0 deletions.
6 changes: 6 additions & 0 deletions README.rdoc
View file
Expand Up @@ -487,6 +487,12 @@ In your test, before you execute a request, just call one of those methods and i

You can also checkout the authlogic_example application (see helpful links above), the tests there use this.

== Deployment

When deploying your application to Apache and Passenger/mod_rails you should use Rails' ActiveRecord session store. Other Rails session systems can be problematic and give you unexpected results (like not being able to logout).

AuthLogic has proven itself in different and complex production environments using the ActiveRecord session store.

== Framework agnostic (Rails, Merb, etc.)

I designed Authlogic to be framework agnostic, meaning it doesn't care what framework you use it in. Right out of the box it supports rails and merb. I have not had the opportunity to use other frameworks, but the only thing stopping Authlogic from being used in other frameworks is a simple adapter. Check out controller_adapters/rails_adapter, or controller_adapters/merb_adapter.
Expand Down

22 comments on commit 495e95e

@thedarkone
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could some one please elaborate or hint at what could go wrong if one does use cookie sessions? :)

@jnicklas
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Upgrading to the latest version of Passenger (2.0.6) seems to fix the problem, at least for me.

@joshpencheon
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am unable to log out, even on 2.0.6. I was under the impression that it had been fixed on Passenger edge, but wasn’t yet in the gem version.

The problem only arose a couple of weeks ago, when using edge rails.

@ropiku
Copy link

@ropiku ropiku commented on 495e95e Feb 28, 2009

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See ticket #1601 , it seems that reset_session is not working properly.

@thedarkone
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do use Passenger with edge Rails and cookies (all cookies not just the cookie sessions) are broken right now due to Rack 1.0 / Passenger 2.0.6 incompatibility (there is a fix in the edge Passenger and will be released with Passenger 2.1).

Authlogic doesn’t use reset_session and shouldn’t really care if it works or not.

I was planning to go with plain cookie authentication for Authlogic as it is more efficient anyways, but thanks for the heads up.

PS: maybe we should just always reset persistence_token in Session#destroy to avoid all the problems altogether?

@thedarkone
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

binarylogic: my bad, I thought logging in resets @persistence_token anyway.

@trevorturk
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This stuff is supposed to be fixed with the upcoming Rails 2.3.1 and Passenger 2.1.1 releases, right? I’m giving it a shot now, in any case :)

@thedarkone
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

trevorturk: Yes.

@anthon
Copy link

@anthon anthon commented on 495e95e Mar 17, 2009

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

This stuff is supposed to be fixed with the upcoming Rails 2.3.1 and Passenger 2.1.1 releases, right? I’m giving it a shot now, in any case :)

not sure… i’m running rails 2.3.2 and Passenger 2.1.2, and my problem persists; can’t clear auth session, and hence no logout…

@joshpencheon
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That’s odd, anthon – it now works for me. Did you update your httpd.conf and run the passenger-install-apache2-module command?

@mattvanhorn
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed for me with Passenger 2.2.1 and Rails 2.3.2

@rlgonzales
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Worked for me on Passenger 2.2.2 (note: do passenger-install-apache2-module and update your httpd.conf) and Rails 2.3.2

@chris
Copy link

@chris chris commented on 495e95e May 28, 2009

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have this same logout problem when using Cucumber to run tests (where in a single scenario I go from being logged in to logging out). But, I've also seen this problem with Passenger 2.2.2 and Rails 2.3.2.

@chris
Copy link

@chris chris commented on 495e95e Jun 1, 2009

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tried changing to an ActiveRecord session store and that did not fix it.

@chris
Copy link

@chris chris commented on 495e95e Jun 1, 2009

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My bad (issue with our logout), I have it working with cookie store now, with Passenger 2.2.2 or Mongrel, and Rails 2.3.2.

@seancribbs
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Still broken for me on Rails 2.3.4 and Passenger 2.2.5. Probably going to switch to some other session store.

@danhixon
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not working for me at spokt.com: Rails 2.3.4 and Passenger 2.2.5. I'll try the ActiveRecord Session store.

@jacob
Copy link

@jacob jacob commented on 495e95e Jan 4, 2010

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We experienced the same issue with Mongrel, Rails 2.3.4 and a Redis-based session store. We are using per-account subdomains which adds confusion to the cookie issues. In our case, logout did not work for IE. Firefox was ok though.

I believe that the problem is with the headers returned to the client on logout. It seems that IE7 keeps a session cookie around after logout that authlogic does not intend for it to keep. This cookie has the authlogic persistence token which matches to the users table (not user sessions) causing the client to automatically re-login after logout.

To determine the source of the problem, we temporarily switched to activerecord based sessions. By looking in the database, could see that the server-side correctly logged out the client in the session store. But even though the data was removed from the server's session store, the client would be logged back in automatically on the next page view after the logout action. Therefore it had to be caused by cookies stored in the browser.

At first, clearing cookies in IE7 did not seem to log the user out. But then we found that IE7 does not actually clear session cookies when you tell it to using the options menu. Only when we used the developer toolbar for IE7 could we actually remove the cookies and then the client would not automatically re-login. This IE7 bug is besides the point, the point is that the source of the problem is that the browser keeps the authlogic persistence token around after logout.

SOOOOO, we ended up clearing the authlogic persistence token in our users table on logout. Even though this has the downside mentioned by binarylogic it is the only way to be sure of logout without diving into complicated debugging of browser-specific session cookie peculiarities.

Hope this helps someone out there.

@jacob
Copy link

@jacob jacob commented on 495e95e Jan 4, 2010

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

BTW, I don't like using ActiveRecord store because it puts load on the db for session-related work. There are two downsides: #1 extra db reads and writes for every page view #2 stale sessions building up in the db which need to be purged periodically. Neither of these is a big deal but they build up when you get high traffic.

Typically, memcache is a better match for session storage since sessions are transient. But if your site wants sessions to last for weeks and weeks then persistent db storage might be a better match.

@kakra
Copy link

@kakra kakra commented on 495e95e Jan 5, 2010

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It may be related to Rails sending no "Cache-Control: private" on redirect_to but still sends the Set-Cookie header which in turn MAY become cachable. Besides this being a security problem, it becomes especially problematic with :cookie_store because that carries the complete session data instead of only some hash which points to session data. Overwriting redirect_to_full_url to send headers["Cache-Control"] = "private" fixed most of the issues I observed with any auth mechanism.

@benr75
Copy link

@benr75 benr75 commented on 495e95e Jan 15, 2010

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI: I had issues with AuthLogic not logging out when I had Safari in Private Browsing mode..

@adamstrickland
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I noticed a similar issue when running integration tests against a Rails 2.3.8 app using Authlogic. In my case, I am using Cucumber & Webrat to test the app's API which authenticates via basic authentication. I noticed that the first request would run fine, but all subsequent requests would error out in the middleware stack. Turns out it was coming from the CookieStore; switching to the AR SessionStore fixed the problem.

Please sign in to comment.