Logout does not log out user with cookie #3

dramsay opened this Issue Jun 4, 2009 · 1 comment


None yet

1 participant

dramsay commented Jun 4, 2009

In the example app, you have the destroy method in the user_sessions controller. However, this method does not delete the cookie set if the user clicks "Remember me".

Therefore the user could click a logout link and think they're safely out of the application. Meanwhile, someone else could come along and get right back into the secure areas of the application and view the first user's data.

dramsay commented Jun 4, 2009

Never mind, had an old version of authlogic and was following the example too literally. You might want to update the example config/environment.rb to specify the newer version of authlogic.

This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment