Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Persistance order #63

Closed
Bertg opened this Issue · 2 comments

3 participants

@Bertg

Hey,

Currently the persistence order of Authlogic is this:
[:persist_by_params, :persist_by_cookie, :persist_by_session, :persist_by_http_auth]

This - according to me - is not logically correct. persistence by session should come before persistence by cookie.

:persist_by_cookie is enabling the "remember me" functionality, and could be perceived as an "automated re-login" system. There are many possible use cases where a client would want to track these "automated logins".
Currently this can be done by overriding (or chaining) the persist_by_cookie method. However it is always called.

By moving the :persist_by_session callback up one spot, the :persist_by_cookie will only be called if there is no session available and can then be truly seen as "automated login"

@avsej

When system user multiple domains, it may be helpful disable :persists_by_cookie at all. For example, I want to logout user from all domains. I'll drop rails session from database, and it will be new session created at next request. Is there any convenient way to disable persistence by cookie?

For now I use following initializer

Authlogic::Session::Base.persist_callback_chain.reject! {|c| c.method == :persist_by_cookie}

But this code kills 'remember me' feature

@tiegz
Collaborator

+1 on this. It'd actually be nice to reorder Authlogic callbacks (different apps have different use cases). The biggest barrier to this is probably a lack of reordering in ActiveSupport::Calbacks.

@Bertg Bertg closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.