Keeping users logged in between browser launches


#1

I’ve got several several Rails 2.1 apps using a variant of
restful_authentication to manage logins/sessions (actually the guts
from Beast but it’s basically restful_authentication). The apps store
sessions in cookies per 2.1 default. The apps set two cookies – the
session cookie and a “login_token” cookie that gets set thus:

cookies[:login_token] = {:value => “#{current_user.id};#
{current_user.reset_login_key!}”, :expires => 1.year.from_now.utc} if
params[:remember_me] == “1”

The problem is that logged-in users who then close their browsers have
to re-login when they re-launch their browsers even when the browsers
are set to keep cookies until they expire – which shouldn’t happen
because the login_token cookie expires one year in the future. When
their browsers are left open, the users remain logged in and the sites
function perfectly normally. Checking these cookies in the browser
confirms that the appear to be set/sent correctly.

What could cause this behavior? I’ve thought of:

  • session storage location – but moving sessions back to
    active_record doesn’t fix this
  • login_token cookie lacks a :domain setting – but setting this
    resulted in the login_token no longer showing up in the browser and
    didn’t affect the problem
  • mongrel_cluster – the sites where this problem happens are running
    mongrel_clusters with several mongrels each – while I have one site
    where the login persists as expected and has only a single mongrel in
    front of it – but otherwise uses the same login/session code

Could this really be a mongrel_cluster issue? What else could be going
on? This seems really weird, but also probably something really simple
and I’m just blind.

Thanks in advance for any pointers!


#2

Perhaps look at how the new restful_authentication
http://github.com/technoweenie/restful_authentication
does it and see if you can understand that.

Ryan B.
Freelancer
http://frozenplague.net


#3

The one thing that jumps out at me is you are setting the time to utc in
the cookie. I am pretty sure rails does this for you automatically, but
am not 100% certain. I know for my cookies I do not have to do this and
it works fine:

cookies[:name] = {:value => “value”, :expires => 1.year.from_now}

Lastly, you might want to check out Authlogic as it is a simple way to
get authentication into your app:

http://github.com/binarylogic/authlogic/tree/master


#4

Thanks for the suggestions! Clearly restful_authentication and
authlogic have moved the ball far downfield from where Beast was
playing back in the day.

It’s looking as if this might be more of a browser issue, though. My
sites (and http://beast.caboo.se/ for that matter) DO retain logins
between browser restarts sometimes. So it’s hard to imagine that this
is a server-side matter…