Bizarre authlogic issue only in Production - ruby-on-rails

Context: A rails app with authlogic for sigup and login
Setup info: Rails 2.3.2
A controller called posts with an action 'show'.
Upon login, I display the posts/index page.
and when the user clicks on an item, item's details get displayed. Fairly standard stuff.
All of this works fine and dandy both in Development and Production (Apache with Passenger 2.2.5 on ubuntu and mysql) EXCEPT for the following problem in one case:
Problem:
ONLY on Firefox/Safari/Chrome (IE7 is Ok) and ONLY in PRODUCTION,
When the user logs in for the very FIRST time in a new session
(open new browser,type in url), the index page is displayed fine
and when an item is clicked, the user gets mysteriously LOGGED OUT
(current_user returns null).
When you login again, everything is BACK to normal - you can logout and login any number of times and no problem - UNTIL you close the browser and start again.
Any other action besides 'show' has the current_user preserved and works fine.
QUESTION:
How is the user session getting lost on a call like this
posts/id only once - the first time ?
The show action doesn't do anything special.
I have used both ActiveRecord Store and Cookies for Session Management with same behavior.
Anybody got any clues, greatly appreciated!

This might be happening because the user is getting redirected from:
http://yoursite.com to http://www.yoursite.com
Here's a blog that mentions this problem:
http://garrickvanburen.com/archive/rails-cookie-settings-for-cross-subdomain-sessions
To paraphrase the blog:
The fix is to set:
config.action_controller.session[:domain] = '.YOURDOMAIN.COM'
inside of environment.rb (Make sure to prefix it with the .). That will make cookies work for both www.yourdomain.com and yourdomain.com (as well as any other subdomains).
This technique is also discussed here:
Losing session in rails 2.3.2 app using subdomain

Related

RoR - Omniauth - Occassionally cannot sign out - Cookies?

This is my first question on StackOverflow! I've searched around and can't seem to find anyone else having this problem, so here goes.
I'm using Ruby on Rails and Devise + OmniAuth to allow people to sign in through Facebook & Google on my site. This works great -- users can sign in and sign out perfectly, so all the routes seem to be working fine.
HOWEVER, occasionally signing out will not work -- it will bring me to a blank page, and upon returning to the website, I'll still be logged in, and there's no way to sign out. If I try opening the site in incognito, or clear my history, it all works again.
I'm guessing the culprit is in the cookies -- it keeps my info so it keeps me logged in even though I want to sign out. I'm a newb at programming though so I'm not sure where to go to fix this.
Thanks for any help!
Turns out it had nothing to do with cookies -- Devise uses https, so if I returned to the page with just http and tried signing out, it would try to do a GET request for the https even though there was none (otherwise it just issues the default DELETE request as normal).
I figured out the answer through this stack overflow question: Devise No route matches [GET] "/users/sign_out" from link with delete specified
I used the first answer by Chris Chattan but there's other ones that might suit you too (you can just use https for everything if you want)

Rails 2.3: Session not available for first request after server restart

I'm currently upgrading a rails application from 2.1.0 to 2.3.14.
Most things are running well now, but there's a strange issue with the user sessions:
When a user has been logged in, this is saved in the session and is available even after a browser restart - as it should.
However: When I restart my local server and load a page that requires authentication, the following happens:
Rails creates a new session row in the database with exactly the same session_id as before.
Inside the application the "old" session is not available, old session data is not available.
If I simply reload the page (F5) afterwards, the correct session including the old data is loaded fine.
The application uses ActionController::Base.session_store = :active_record_store and multiple databases (one per subdomain, wasn't my decision). The correct database is chosen as before_filter and rails saves sessions in these databases.
My guess is that after a server restart something is not yet set correctly and the sessions are searched in a wrong database and kept for the first request (but it's saved in the correct database after it was set via ActiveRecord::Base.establish_connection).
If my guess is correct, loading the correct session after establishing the connection should solve this.
Is there a way to either completely reload the session from database or tell Rails to use a custom database for all sessions?
Thanks in advance!

Rails 3 application creates sessions only for certain users in my db

This is an extremely weird situation. I have a Rails 3 app that authenticates users using OmniAuth. The problem I recently encountered is that after correctly validating a user using the aforementioned gem, at some part of the code I set some session variables, specifically:
session[:user_id] = user.id
The problem is, that this line only works for some users (it does not depend on the browser, the cookies, nothing, only for certain users. The user variable is valid and has an id attribute, but this session variable does not persist on the next request, sending this user back to the login page. Again, this only happens to some users, which makes the problem a whole lot more difficult to debug.
Any ideas? Thanks in advance!
PS: I've tried using the cookie session store and the database session store, both with the same results.
EDIT: The problem ended up being something completely not related to sessions.

Rails on Subdomain and Custom Port

I have to run rails on a shared host for a client via cPanel.
The application is running on a subdomain and non standard port.
I am using Authlogic, so on the first visit it detects I am not logged in and I get a page with:
You are being redirected.
Clicking on that I get the login form, which then takes me to the target page, with the same redirect message. So the model detects the login, but no cookie or session is ever created.
I have tried the following with no success:
config.action_controller.session = {:domain => '.bbbb.com'}
I've also tried using an active record session with same result.
Please help :)
Thanks
Are you using, or have you looked at SubDomainFu?
http://github.com/mbleigh/subdomain-fu

Destroy cookies in rails, facebook connect, facebooker plugin

So I have sort of a weird situation going on. I am using the Facebooker plugin for rails where I want users to be able to login and logout with their facebook profiles. However, once users logout, if I refresh the page, it logs them back in. This is only when users log in with facebook connect.
I think the problem is that a rogue cookie is just re-instantiating the session and thus my best guess is to manually destroy the cookies but to be honest I'm not entirely sure of how to do this. I printed out my cookie list (from request.cookies) both before and after I click logout. After logout is clicked, I still have this cookie lingering...but don't know how to delete it.
fbsetting_0b78c8f2c95ce671470bdcb1c19e5070 {"connectState":1,"oneLineStorySetting":1,"shortStorySetting":1,"inFacebook":false}
After playing around with it a little more, that cookie isn't even there...but upon refreshing the page I am logged in again.
I'm doing this all on localhost...not sure if that should cause a problem or not.
Any ideas?
This is what I have in users controller
def logout_facebook
clear_facebook_session_information
redirect_to root_url
end
and this is how it is triggered
<%= fb_logout_link("Logout out", "#{root_url}users/logout_facebook")%>
This is how I got it to remove the cookies on the local side.
Note: don't forget to add a route to the logout_facebook method in your routes.
Destroying local cookies isn't enough to terminate a Facebook Connect session. The connect JS library will recreate destroyed cookies as long as you still have an active session on the facebook.com domain -- and those cookies are inaccessible to you.
All log-outs must be handled by calling the logout function in the connect library.
e.g.,
<script>$H.fbconnect.logout();</script>
To delete a cookie, you need to set the cookie again with an expiration date in the past.
a million thanks for the clean and full-proof solution to such a frazzled functionality. I've been literally going Blank over last 2 weeks since I came across the fact true to I believe almost all NEW-facebooker users, "facebook connect logging out completely". Or maybe just it was just a lack of documentation or some code excerpt I wasn't able to find till date in facebooker cover docs.
Anyway away from all that, moving to the solution which made me achieve it... Following to #James B method above.
Obviously I am assuming you all have read facebooker installation, configuration & usage instructions http://github.com/mmangino/facebooker.
I also have used a plugin "authlogic_facebook_connect" which you can find at github.com page of kalasjocke/authlogic_facebook_connect.
Now I assume you already configured your application to work with facebook connect by using fb_login_button or authlogic_facebook_login_button. Clicking it you'd see a popup to log yourself into both your facebook account and into the local account of your app. Once you login you'd be getting a facebook_session to handle saving a new user in your DB (only if you wish to).
By default you'd not be getting birthday and email address of users in the facebook_session as response from facebook. To get them you need something like this in your initialization javascript in the body tag of the rhtml page...
<%= fb_connect_javascript_tag %> <%=
init_fb_connect "XFBML",{
:app_settings=>" {
permsToRequestOnConnect :
'email,user_birthday' }"} %>
<%= authlogic_facebook_login_button %>
Now finally what I did for getting logged out of both Facebook and my site.
Inside the header of your application or wherever the LOGIN, LOGOUT, loggedin users's name etc will display...
:delete
%>
The two logout buttons are for different kind of users.. a. who registered directly on your site, b. who registerd to your site via facebook
Route for logout_both in routes.rb
map.connect "/logout_both",
:controller=>"users",
:action=>"logout_both"
The action for logout_both inside users_controller.rb
def logout_both
current_user_session.destroy
#clear_facebook_session_information
flash[:notice] = "Logout successful!"
redirect_to root_path end #End of method logout_both
You need to make sure that there are no filters defined in the controller which could restrict logout_both action to be executed without a session.
Oh yes and if you're wondering why that "clear_facebook_session_information" is commented in the action. Then don't worry, you're already logged out of facebook before entering this action, this line is no longer needed. Boss we're using "fb_logout_link" which first logs you out and then redirects you to this new action.
Well, that's about it. If this doesn't do it........ get your hands dirty like I am doing.. dig in.. solve it yourself. Facebooker is deep but has a definite END!!!
Again many thanks to mangino & kalasjocke for making facebook connect almost no painful for rails.
One clarification people... in my Answer above.. There is a hick, which is.. After logout, if you refresh the page.. it would again show you logged in on your site.. however you're successfully logged out of Facebook.
I was wrong, ONE BIG CLARIFICATION...... As a matter of fact you DO NEED THESE TWO LINES IN YOUR "logout_both" action
def logout_both <br/>
current_user_session.destroy<br/>
clear_facebook_session_information #MANDATORY TO COMPLETELY CLEAR COOKIES<br/>
reset_session # TO BE 100% sure you can use it optionally<br/>
flash[:notice] = "Logout successful!"<br/>
redirect_to root_path <br/>
end

Resources