I've got several several Rails 2.1 apps using a variant of restful_authentication to manage logins/sessions (actually the guts from Beast but it's basically restful_authentication). The apps store sessions in cookies per 2.1 default. The apps set two cookies -- the session cookie and a "login_token" cookie that gets set thus:
cookies[:login_token] = {:value => "#{current_user.id};# {current_user.reset_login_key!}", :expires => 1.year.from_now.utc} if params[:remember_me] == "1"
The problem is that logged-in users who then close their browsers have to re-login when they re-launch their browsers even when the browsers are set to keep cookies until they expire -- which shouldn't happen because the login_token cookie expires one year in the future. When their browsers are left open, the users remain logged in and the sites function perfectly normally. Checking these cookies in the browser confirms that the appear to be set/sent correctly.
What could cause this behavior? I've thought of:
- session storage location -- but moving sessions back to active_record doesn't fix this - login_token cookie lacks a :domain setting -- but setting this resulted in the login_token no longer showing up in the browser and didn't affect the problem - mongrel_cluster -- the sites where this problem happens are running mongrel_clusters with several mongrels each -- while I have one site where the login persists as expected and has only a single mongrel in front of it -- but otherwise uses the same login/session code
Could this really be a mongrel_cluster issue? What else could be going on? This seems really weird, but also probably something really simple and I'm just blind.
Thanks in advance for any pointers!