We have a site that is using rails 3.0.4, and authlogic. We use ngnix to handle the front end and I am trying to use squid to do caching between nginx and the unicorns. I am trying not to cache pages for logged in users and I am doing this via tracking the user_credentials cookie, however given that authlogic is actually doing authorisation based upon the values stored in the session. It is possible for a user ( or browser, thank you safari ) to delete that cookie and for a logged in user to get their pages into the cache which makes people sad.
So how do I make authlogic authenticate on the user_credential cookie rather than on the session.
I think this is the relevant code:
# Authlogic gem
acts_as_authentic do |config|
config.transition_from_restful_authentication = true
config.transition_from_crypto_providers = Authlogic::CryptoProviders::Sha1
config.validates_length_of_password_field_options = {:on => :update, :minimum => 6, :if => :has_no_credentials?}
config.validates_length_of_password_confirmation_field_options = {:on => :update, :minimum => 6, :if => :has_no_credentials?}
end
