AuthLogic perishable_token resets on every request

Question

In my User model I have:

acts_as_authentic do |c|
  c.perishable_token_valid_for = 30.minutes
end

In my Application Controller I have the standard boilerplate code:

def current_user_session
  return @current_user_session if defined?(@current_user_session)
  @current_user_session = UserSession.find
end

def current_user
  return @current_user if defined?(@current_user)
  @current_user = current_user_session && current_user_session.record
end

Now in my view I need to see if a user is logged in:

<% if current_user %>
  Sign Out
<% else %>
  Sign In
<% end %>

On every single request, current_user is being called, and that causes a SELECT call to be made to the database to find the user, then an UPDATE call that updates the last_request_at and perishable_token even though I set perishable_token_valid_for = 30.minutes.

Does anyone have a better way to see if a user is logged in without causing a SELECT and UPDATE on every single page of my app.
Does anyone know why the perishable token keeps updating even if I set it to be valid for 30 minutes???

score 9 · Accepted Answer · answered May 25 '10 at 02:54

9

perishable_token_valid_for isn't doing what you think it is. It's intended to work in tandem with find_using_perishable_token which is intended for things like account validation and resetting a forgotten password. The default timeout is 10 minutes.

The token is supposed to update on every request like it's doing. You can just remove the column if you don't want it. It's completely optional with authlogic.

If you really do want to keep the perishable token but update it completely by hand, you can do disable_perishable_token_maintenance = true

answered May 25 '10 at 02:54

x1a4

19,417
5
40
40

1

Ok, I was trying use the perishable_token to allow access to a specific page for only 10 minutes... any recommendations on how to accomplish that? – go minimal May 25 '10 at 03:22
Without having to add a new model, not sure. You can always keep a list of accesses to that page though, and check against that. – x1a4 May 25 '10 at 05:20
Will account validatio/reset password which use find_using_pt, still work without the pt column? if not, is tehre a diffrent way? I am having the same problem, I would like to use the pt for validation/resets but rather not see this update with evvery request. Thanks – badnaam Jul 31 '10 at 20:54
What is the full string for this? `disable_perishable_token_maintenance = true` I've tried so many things that don't work. `Authlogic::ActsAsAuthentic::PerishableToken::Config.disable_perishable_token_maintenance` does not work. – Trip Jan 09 '12 at 18:04
1

Trip, check out https://gist.github.com/aa8ca563604187fcbe62 for an example of what i'm doing in an app running in production right now. – x1a4 Jan 12 '12 at 02:36
@go minimal use authlogic's Single access token instead of the perishable token for what your doing. http://blog.xtreme.se/posts/1-authlogic-login-using-token-vs-username-and-password – Sujimichi Feb 19 '14 at 14:16

AuthLogic perishable_token resets on every request

1 Answers1

Linked