This is very strange. We use Authlogic for authentication.
Anyway this website is online for two years and we only now started experiencing this issue.
The strange thing is also that in internet explorer only the rails session cookie does not exist, Don't know if it's related or not.
Asked
Active
Viewed 175 times
0
ramigg
- 1,287
- 1
- 15
- 16
1 Answers
0
It sounds like your sessions are not getting destroyed, after a while the generated sessionkeys might be the same. Check the database for the amount of sessions and have a look at this post:
Ruby on rails - Authlogic : periodically check if user session is valid
On User model:
acts_as_authentic do |c|
c.logged_in_timeout(5.minutes)
end
... and on UserSession model:
self.logout_on_timeout = true
-
I tried to clean the sessions table, but it didn't help. Also the owner of the app wants his clients to stay logged in for long time. – ramigg Apr 23 '12 at 09:27
-
Did you manually check the session keys? All I can think of now is that the same keys are given out to users, therefor they got a session that already exists and are treated as a different user. – Vikko Apr 23 '12 at 09:31
-
Do you invalidate the auth token on logout ? – sailor Apr 23 '12 at 09:31
-
You destroy the session entry in the database on logout, so if you have another user in the database with the same session key it uses his account validation instead of his own. – Vikko Apr 23 '12 at 09:32
-
Anyway I could delete the sessions table periodically because I save data only for the immediate use, and Authlogic uses user_credentioals cookie to authenticate users, so users will stay logged in even after cleaning sessions table. But as I commented I tried to clean all the sessions, and the issue still remains. Any ideas? (thanks for your help) – ramigg Apr 23 '12 at 09:46
-
Maybe set the time to live on cookies lower? Might be caching as well (Using Dalli memcached or something?) – Vikko Apr 23 '12 at 09:53