I’ve got several several Rails 2.1 apps using a variant of
restful_authentication to manage logins/sessions (actually the guts
from Beast but it’s basically restful_authentication). The apps store
sessions in cookies per 2.1 default. The apps set two cookies – the
session cookie and a “login_token” cookie that gets set thus:
cookies[:login_token] = {:value => “#{current_user.id};#
{current_user.reset_login_key!}”, :expires => 1.year.from_now.utc} if
params[:remember_me] == “1”
The problem is that logged-in users who then close their browsers have
to re-login when they re-launch their browsers even when the browsers
are set to keep cookies until they expire – which shouldn’t happen
because the login_token cookie expires one year in the future. When
their browsers are left open, the users remain logged in and the sites
function perfectly normally. Checking these cookies in the browser
confirms that the appear to be set/sent correctly.
What could cause this behavior? I’ve thought of:
- session storage location – but moving sessions back to
active_record doesn’t fix this - login_token cookie lacks a :domain setting – but setting this
resulted in the login_token no longer showing up in the browser and
didn’t affect the problem - mongrel_cluster – the sites where this problem happens are running
mongrel_clusters with several mongrels each – while I have one site
where the login persists as expected and has only a single mongrel in
front of it – but otherwise uses the same login/session code
Could this really be a mongrel_cluster issue? What else could be going
on? This seems really weird, but also probably something really simple
and I’m just blind.
Thanks in advance for any pointers!