Authlogic will randomly log in a logged out user. I am using the basic authlogic_example setup and have added just one more 'orders' resource controller with the basic actions and no other filters.
I can log out of my session, and view the orders index action logged out. Then I can keep refreshing my browser and within 5 - 15 refreshes, I will suddenly be logged back in again to the previous user session.
Right, this is an issue with rails sessions in some later versions of rails, not an authlogic issue. I believe they fixed this in later versions, and people have solve this problem by using active_record store for sessions. Hope this helps.
So does this apply to cookie sessions in Rails 2.3.2?
I don't believe so, I'm pretty sure they fixed this issue. It also seems to only happen with apache? I'm not 100% sure on the exact setup that causes this problem, but numerous people have reported this and solved it by updating rails or switching to active record store. I'm putting a little note in the readme to help people out.
Have you heard of people not being able to log out? I'm experiencing this on a production server but can't reproduce locally. Probably not related but sounds similar to this. The part about differences in setup affecting the issue rings a bell at least.
Yeah, thats the same issue. People log out, but dont stay logged out, etc. It really has to do with rails not properly clearing the session out like it should. I use nginx + thin, and active record store, so I have never experienced this issue. I've probably had at least 30 people email me about this and using an alternate session storage solution has solved the problem each time. I can't really do anything about this either because Authlogic just leverages was rails provides, nothing tricky going on. I am fairly confident this has been fixed in later versions, but not 100%.
I'm running rails 2.3.2 for this app. You said you thought it was fixed in 2.3.2. Maybe its only fixed in edge?
Anyways, I'll try using active_record session store and see if that fixes it. This is an internal app so using AR store won't be a problem for us.
Thanks so much for the quick replies as well.
so simply changing to AR store didnt fix it. I added
ActionController::Base.session_store = :active_record_store
to my session_store.rb initializer and see the sessions being created in the DB. when I have manually deleted all rows from the sessions table and yet I can still keep refreshing the page and I will be logged back in and see a new row in the sessions DB table.
well, let me take that back. I have a feeling there was still some kind of residual issue with cookies. So I reset my browser completely and wiped all cookies and haven't had the issue again.
Ok, thanks for the update. If this is still an issue let me know and we'll figure it out, but I'm confident AR store will fix the problem. Also that disappointing the issue isn't fixed in rails yet, which leads me to believe it has to do with something else outside of rails / ruby. If you don't mind me asking, what stack are you using? Apache? Nginx? Thin? Mongrel?
locally I dev on a mac and use Apache/Passenger. I thought it might have been a Passenger issue so I also tried it directly with Mongrel with the same result.
I don't have nginx set up on my local box to test with.
Thats fine, I just wanted to know to see if i can find a trend with this issue. Thanks.
My logout problem was fixed with upgrade to Passenger 2.2.1. We continue to use cookie sessions with Rails 2.3.2 but now without the logout problem. Thanks for the tip on the rails session angle.
good point. I'm only running Passenger 2.1.3.
I'll upgrade to the 2.2.x latest and see if cookie sessions work again