Permalink
Browse files

Added a some deployment instructions.

Signed-off-by: Ben Johnson <bjohnson@binarylogic.com>
  • Loading branch information...
ariejan authored and binarylogic committed Feb 27, 2009
1 parent 424eb0a commit 495e95e5a2f724e6f1e339c4871168c6c5e6a7ca
Showing with 6 additions and 0 deletions.
  1. +6 −0 README.rdoc
View
@@ -487,6 +487,12 @@ In your test, before you execute a request, just call one of those methods and i
You can also checkout the authlogic_example application (see helpful links above), the tests there use this.
== Deployment
When deploying your application to Apache and Passenger/mod_rails you should use Rails' ActiveRecord session store. Other Rails session systems can be problematic and give you unexpected results (like not being able to logout).
AuthLogic has proven itself in different and complex production environments using the ActiveRecord session store.
== Framework agnostic (Rails, Merb, etc.)
I designed Authlogic to be framework agnostic, meaning it doesn't care what framework you use it in. Right out of the box it supports rails and merb. I have not had the opportunity to use other frameworks, but the only thing stopping Authlogic from being used in other frameworks is a simple adapter. Check out controller_adapters/rails_adapter, or controller_adapters/merb_adapter.

22 comments on commit 495e95e

@thedarkone

This comment has been minimized.

Show comment
Hide comment
@thedarkone

thedarkone Feb 28, 2009

Could some one please elaborate or hint at what could go wrong if one does use cookie sessions? :)

thedarkone replied Feb 28, 2009

Could some one please elaborate or hint at what could go wrong if one does use cookie sessions? :)

@jnicklas

This comment has been minimized.

Show comment
Hide comment
@jnicklas

jnicklas Feb 28, 2009

Upgrading to the latest version of Passenger (2.0.6) seems to fix the problem, at least for me.

jnicklas replied Feb 28, 2009

Upgrading to the latest version of Passenger (2.0.6) seems to fix the problem, at least for me.

@joshpencheon

This comment has been minimized.

Show comment
Hide comment
@joshpencheon

joshpencheon Feb 28, 2009

I am unable to log out, even on 2.0.6. I was under the impression that it had been fixed on Passenger edge, but wasn’t yet in the gem version.

The problem only arose a couple of weeks ago, when using edge rails.

joshpencheon replied Feb 28, 2009

I am unable to log out, even on 2.0.6. I was under the impression that it had been fixed on Passenger edge, but wasn’t yet in the gem version.

The problem only arose a couple of weeks ago, when using edge rails.

@ropiku

This comment has been minimized.

Show comment
Hide comment
@ropiku

ropiku Feb 28, 2009

See ticket #1601 , it seems that reset_session is not working properly.

ropiku replied Feb 28, 2009

See ticket #1601 , it seems that reset_session is not working properly.

@thedarkone

This comment has been minimized.

Show comment
Hide comment
@thedarkone

thedarkone Feb 28, 2009

I do use Passenger with edge Rails and cookies (all cookies not just the cookie sessions) are broken right now due to Rack 1.0 / Passenger 2.0.6 incompatibility (there is a fix in the edge Passenger and will be released with Passenger 2.1).

Authlogic doesn’t use reset_session and shouldn’t really care if it works or not.

I was planning to go with plain cookie authentication for Authlogic as it is more efficient anyways, but thanks for the heads up.

PS: maybe we should just always reset persistence_token in Session#destroy to avoid all the problems altogether?

thedarkone replied Feb 28, 2009

I do use Passenger with edge Rails and cookies (all cookies not just the cookie sessions) are broken right now due to Rack 1.0 / Passenger 2.0.6 incompatibility (there is a fix in the edge Passenger and will be released with Passenger 2.1).

Authlogic doesn’t use reset_session and shouldn’t really care if it works or not.

I was planning to go with plain cookie authentication for Authlogic as it is more efficient anyways, but thanks for the heads up.

PS: maybe we should just always reset persistence_token in Session#destroy to avoid all the problems altogether?

@thedarkone

This comment has been minimized.

Show comment
Hide comment
@thedarkone

thedarkone Feb 28, 2009

binarylogic: my bad, I thought logging in resets @persistence_token anyway.

thedarkone replied Feb 28, 2009

binarylogic: my bad, I thought logging in resets @persistence_token anyway.

@trevorturk

This comment has been minimized.

Show comment
Hide comment
@trevorturk

trevorturk Mar 2, 2009

This stuff is supposed to be fixed with the upcoming Rails 2.3.1 and Passenger 2.1.1 releases, right? I’m giving it a shot now, in any case :)

trevorturk replied Mar 2, 2009

This stuff is supposed to be fixed with the upcoming Rails 2.3.1 and Passenger 2.1.1 releases, right? I’m giving it a shot now, in any case :)

@thedarkone

This comment has been minimized.

Show comment
Hide comment
@thedarkone

thedarkone Mar 2, 2009

trevorturk: Yes.

thedarkone replied Mar 2, 2009

trevorturk: Yes.

@anthon

This comment has been minimized.

Show comment
Hide comment
@anthon

anthon Mar 17, 2009

This stuff is supposed to be fixed with the upcoming Rails 2.3.1 and Passenger 2.1.1 releases, right? I’m giving it a shot now, in any case :)

not sure… i’m running rails 2.3.2 and Passenger 2.1.2, and my problem persists; can’t clear auth session, and hence no logout…

anthon replied Mar 17, 2009

This stuff is supposed to be fixed with the upcoming Rails 2.3.1 and Passenger 2.1.1 releases, right? I’m giving it a shot now, in any case :)

not sure… i’m running rails 2.3.2 and Passenger 2.1.2, and my problem persists; can’t clear auth session, and hence no logout…

@joshpencheon

This comment has been minimized.

Show comment
Hide comment
@joshpencheon

joshpencheon Mar 17, 2009

That’s odd, anthon – it now works for me. Did you update your httpd.conf and run the passenger-install-apache2-module command?

joshpencheon replied Mar 17, 2009

That’s odd, anthon – it now works for me. Did you update your httpd.conf and run the passenger-install-apache2-module command?

@mattvanhorn

This comment has been minimized.

Show comment
Hide comment
@mattvanhorn

mattvanhorn Apr 26, 2009

fixed for me with Passenger 2.2.1 and Rails 2.3.2

mattvanhorn replied Apr 26, 2009

fixed for me with Passenger 2.2.1 and Rails 2.3.2

@rlgonzales

This comment has been minimized.

Show comment
Hide comment
@rlgonzales

rlgonzales May 21, 2009

Worked for me on Passenger 2.2.2 (note: do passenger-install-apache2-module and update your httpd.conf) and Rails 2.3.2

rlgonzales replied May 21, 2009

Worked for me on Passenger 2.2.2 (note: do passenger-install-apache2-module and update your httpd.conf) and Rails 2.3.2

@chris

This comment has been minimized.

Show comment
Hide comment
@chris

chris May 28, 2009

I have this same logout problem when using Cucumber to run tests (where in a single scenario I go from being logged in to logging out). But, I've also seen this problem with Passenger 2.2.2 and Rails 2.3.2.

chris replied May 28, 2009

I have this same logout problem when using Cucumber to run tests (where in a single scenario I go from being logged in to logging out). But, I've also seen this problem with Passenger 2.2.2 and Rails 2.3.2.

@chris

This comment has been minimized.

Show comment
Hide comment
@chris

chris Jun 1, 2009

I tried changing to an ActiveRecord session store and that did not fix it.

chris replied Jun 1, 2009

I tried changing to an ActiveRecord session store and that did not fix it.

@chris

This comment has been minimized.

Show comment
Hide comment
@chris

chris Jun 1, 2009

My bad (issue with our logout), I have it working with cookie store now, with Passenger 2.2.2 or Mongrel, and Rails 2.3.2.

chris replied Jun 1, 2009

My bad (issue with our logout), I have it working with cookie store now, with Passenger 2.2.2 or Mongrel, and Rails 2.3.2.

@seancribbs

This comment has been minimized.

Show comment
Hide comment
@seancribbs

seancribbs Oct 3, 2009

Still broken for me on Rails 2.3.4 and Passenger 2.2.5. Probably going to switch to some other session store.

seancribbs replied Oct 3, 2009

Still broken for me on Rails 2.3.4 and Passenger 2.2.5. Probably going to switch to some other session store.

@danhixon

This comment has been minimized.

Show comment
Hide comment
@danhixon

danhixon Dec 6, 2009

Not working for me at spokt.com: Rails 2.3.4 and Passenger 2.2.5. I'll try the ActiveRecord Session store.

danhixon replied Dec 6, 2009

Not working for me at spokt.com: Rails 2.3.4 and Passenger 2.2.5. I'll try the ActiveRecord Session store.

@jacob

This comment has been minimized.

Show comment
Hide comment
@jacob

jacob Jan 4, 2010

We experienced the same issue with Mongrel, Rails 2.3.4 and a Redis-based session store. We are using per-account subdomains which adds confusion to the cookie issues. In our case, logout did not work for IE. Firefox was ok though.

I believe that the problem is with the headers returned to the client on logout. It seems that IE7 keeps a session cookie around after logout that authlogic does not intend for it to keep. This cookie has the authlogic persistence token which matches to the users table (not user sessions) causing the client to automatically re-login after logout.

To determine the source of the problem, we temporarily switched to activerecord based sessions. By looking in the database, could see that the server-side correctly logged out the client in the session store. But even though the data was removed from the server's session store, the client would be logged back in automatically on the next page view after the logout action. Therefore it had to be caused by cookies stored in the browser.

At first, clearing cookies in IE7 did not seem to log the user out. But then we found that IE7 does not actually clear session cookies when you tell it to using the options menu. Only when we used the developer toolbar for IE7 could we actually remove the cookies and then the client would not automatically re-login. This IE7 bug is besides the point, the point is that the source of the problem is that the browser keeps the authlogic persistence token around after logout.

SOOOOO, we ended up clearing the authlogic persistence token in our users table on logout. Even though this has the downside mentioned by binarylogic it is the only way to be sure of logout without diving into complicated debugging of browser-specific session cookie peculiarities.

Hope this helps someone out there.

jacob replied Jan 4, 2010

We experienced the same issue with Mongrel, Rails 2.3.4 and a Redis-based session store. We are using per-account subdomains which adds confusion to the cookie issues. In our case, logout did not work for IE. Firefox was ok though.

I believe that the problem is with the headers returned to the client on logout. It seems that IE7 keeps a session cookie around after logout that authlogic does not intend for it to keep. This cookie has the authlogic persistence token which matches to the users table (not user sessions) causing the client to automatically re-login after logout.

To determine the source of the problem, we temporarily switched to activerecord based sessions. By looking in the database, could see that the server-side correctly logged out the client in the session store. But even though the data was removed from the server's session store, the client would be logged back in automatically on the next page view after the logout action. Therefore it had to be caused by cookies stored in the browser.

At first, clearing cookies in IE7 did not seem to log the user out. But then we found that IE7 does not actually clear session cookies when you tell it to using the options menu. Only when we used the developer toolbar for IE7 could we actually remove the cookies and then the client would not automatically re-login. This IE7 bug is besides the point, the point is that the source of the problem is that the browser keeps the authlogic persistence token around after logout.

SOOOOO, we ended up clearing the authlogic persistence token in our users table on logout. Even though this has the downside mentioned by binarylogic it is the only way to be sure of logout without diving into complicated debugging of browser-specific session cookie peculiarities.

Hope this helps someone out there.

@jacob

This comment has been minimized.

Show comment
Hide comment
@jacob

jacob Jan 4, 2010

BTW, I don't like using ActiveRecord store because it puts load on the db for session-related work. There are two downsides: #1 extra db reads and writes for every page view #2 stale sessions building up in the db which need to be purged periodically. Neither of these is a big deal but they build up when you get high traffic.

Typically, memcache is a better match for session storage since sessions are transient. But if your site wants sessions to last for weeks and weeks then persistent db storage might be a better match.

jacob replied Jan 4, 2010

BTW, I don't like using ActiveRecord store because it puts load on the db for session-related work. There are two downsides: #1 extra db reads and writes for every page view #2 stale sessions building up in the db which need to be purged periodically. Neither of these is a big deal but they build up when you get high traffic.

Typically, memcache is a better match for session storage since sessions are transient. But if your site wants sessions to last for weeks and weeks then persistent db storage might be a better match.

@kakra

This comment has been minimized.

Show comment
Hide comment
@kakra

kakra Jan 5, 2010

It may be related to Rails sending no "Cache-Control: private" on redirect_to but still sends the Set-Cookie header which in turn MAY become cachable. Besides this being a security problem, it becomes especially problematic with :cookie_store because that carries the complete session data instead of only some hash which points to session data. Overwriting redirect_to_full_url to send headers["Cache-Control"] = "private" fixed most of the issues I observed with any auth mechanism.

kakra replied Jan 5, 2010

It may be related to Rails sending no "Cache-Control: private" on redirect_to but still sends the Set-Cookie header which in turn MAY become cachable. Besides this being a security problem, it becomes especially problematic with :cookie_store because that carries the complete session data instead of only some hash which points to session data. Overwriting redirect_to_full_url to send headers["Cache-Control"] = "private" fixed most of the issues I observed with any auth mechanism.

@benr75

This comment has been minimized.

Show comment
Hide comment
@benr75

benr75 Jan 15, 2010

FYI: I had issues with AuthLogic not logging out when I had Safari in Private Browsing mode..

benr75 replied Jan 15, 2010

FYI: I had issues with AuthLogic not logging out when I had Safari in Private Browsing mode..

@adamstrickland

This comment has been minimized.

Show comment
Hide comment
@adamstrickland

adamstrickland Jun 30, 2010

I noticed a similar issue when running integration tests against a Rails 2.3.8 app using Authlogic. In my case, I am using Cucumber & Webrat to test the app's API which authenticates via basic authentication. I noticed that the first request would run fine, but all subsequent requests would error out in the middleware stack. Turns out it was coming from the CookieStore; switching to the AR SessionStore fixed the problem.

adamstrickland replied Jun 30, 2010

I noticed a similar issue when running integration tests against a Rails 2.3.8 app using Authlogic. In my case, I am using Cucumber & Webrat to test the app's API which authenticates via basic authentication. I noticed that the first request would run fine, but all subsequent requests would error out in the middleware stack. Turns out it was coming from the CookieStore; switching to the AR SessionStore fixed the problem.

Please sign in to comment.