Losing session variable with acts_as_authenticated

Hi,

I initially set up acts_as_authenticated to require a user login before
accessing and updating pages on my recipe site. This worked fine with no
problems with the user session.

Now, I have changed the setup so that a few pages are available to the
public, while others that involve create/update/delete actions require a
user that is logged in. So I created a login form as a partial to include on
every single page. The sign in form displays if not logged in; if the user
is logged in it will display a welcome message to the user.

Now I'm encountering problems where my session[:user] variable gets reset to
nil whenever I do a post request. I still have the session, but I just lose
the variable, and find myself having to explicitly send the user ID as
hidden input and re-assign the session[:user] variable. Has anyone
encountered this problem, or have any idea why this would be happening?

Thanks in advance.

I am using exactly this trick on my http://eq2guild.flame.org/ site,
and have experienced no problems with it.

Can you compare the html code on that opening page with what you have
in yours? I can send you my controller snipit if it will help.

--Michael

Hi Michael,

Thanks for your reply. Our login forms are pretty much the same except that
your form calls on the /account/login action, whereas mine calls on /recipe
(I had put my login action in my application controller so that it would be
accessible to all my controllers).

This is how I generated it in my view: <% form_for :login, login do %>

It works on my /recipe page, but I just recently noticed that I can't log in

Aside from that issue, it would be great if I could take a look at your
controller code. To me, it doesn't really seem like any of my update/edit
actions for recipes explicitly change any session variables (except when I
have to re-assign my session[:user] variable to keep the user logged in).

Michelle

Michael Graff-5 wrote:

Wait, you have your login method in all your controllers? May I ask why? :slight_smile:

It seems that having one definite action to log one in is a very good
thing. That is, /login or /account/login or /log_me_in should be the
only controller/action with a login method. After all, you don't log
into a recipe, do you? :slight_smile:

If you require a user to log in before they do certain operations,
that's also easily done:

class ToonController < ApplicationController
  before_filter :login_required, :except => [ :list,
                                              :show,
                                              :show_avatar,
                                              :classes,
                                              :tradeskills ]

Or, in each method:

  def new
    if !logged_in?
      flash[:notice] = 'You cannot create characters without logging in.'
      redirect_to :action => "list"
    else
      @toon = Toon.new
    end
  end

My account controller:

class AccountController < ApplicationController
  def login
    return unless request.post?
    self.current_user = User.authenticate(params[:login], params[:password])
    if logged_in?
      redirect_back_or_default(:controller => 'welcome', :action => 'index')
      flash[:notice] = "Logged in successfully"
    end
  end

  def logout
    cookies.delete :auth_token
    reset_session
    flash[:notice] = "You have been logged out."
    redirect_back_or_default(:controller => 'welcome', :action => 'index')
  end

As I mentioned, I'm using a modified acts_as_authenticated plugin.

--Michael

Sorry, what I mean is that I had put my login method inside my application
controller so it's accessible to the rest of my controllers. If I leave my
login method in the account controller, my other controllers throw an
exception with the error "undefined method login".

My login and logout methods otherwise look similar to yours (they're
unmodified from acts_as_authenticated).

This is how I'm rendering the login box in the main layout:

<%= render :partial => 'account/login', :locals => { :current_user =>
@current_user } %>

_login.rhtml (I just changed it so that login is now back in the account
controller):

<% if flash[:notice] %>
  <%= flash[:notice] %>
<% end %>

<% if logged_in? %>
  <%= 'Welcome, ' + current_user.first_name + "! &raquo; " %>
  <%= link_to 'Logout', :controller => 'account', :action => 'logout' %>
<% else %>
  <% form_tag "/account/login" method="post" %>
  <p><label for="login">Login</label><br/>
  <%= text_field_tag 'login', login %></p>

  <p><label for="password">Password</label><br/>
  <%= password_field_tag 'password' %></p>
  
  <p><label for="remember_me">Remember me:</label>
  <%= check_box_tag 'remember_me' %></p>
  
  <p><%= submit_tag 'Log in' %></p>
  <% end %>
<% end %>

Michael Graff-5 wrote:

Sorry, what I mean is that I had put my login method inside my application
controller so it's accessible to the rest of my controllers. If I leave my
login method in the account controller, my other controllers throw an
exception with the error "undefined method login".

You should never have "login" run via the path /recipe/login, or
/book/login, etc. probably -- you always want /account/login -- so
login should be in account_controller.rb only. If you put it in
app/controllers/application.rb, I believe it can be accessed via
/recipe/login, etc.

If you need to refer to it inside a different controller, you can
always redirect to the login page:

  redirect_to :controller => :account, :action => :login

This is how I'm rendering the login box in the main layout:

What you did looks basically the same as mine...

Here's my app/views/account/login.rhtml file:

<div class="contentbody">
<% form_tag do -%>
<p><label for="login">Login</label><br/>
<%= text_field_tag 'login' %></p>
<p><label for="password">Password</label><br/>
<%= password_field_tag 'password' %></p>
<p><%= submit_tag 'Log in' %></p>
<% end -%>
</div><!-- contentbody -->

This renders to:

<div class="contentbody">
<form action="/account/login" method="post"><p><label
for="login">Login</label><br/>
<input id="login" name="login" type="text" /></p>
<p><label for="password">Password</label><br/>
<input id="password" name="password" type="password" /></p>
<p><input name="commit" type="submit" value="Log in" /></p>
</form></div><!-- contentbody -->

I'm wondering why you're login form is in a login.rhtml rather than a partial
named _login.rhtml? When I try the <% form_tag do -%> it renders the action
to go to the page that I'm current on, eg. /recipe/list.

Basically, I'm trying to get the layout to be just like yours: login form
included onto each page as a partial. But when I put the login method back
into the application, my recipe controller is complaining about an
undefined login method. Incidentally, trying to access the path
/recipe/login results in an error because I have no layout page for that.

Michael Graff-5 wrote:

My bad. I have two login forms actually -- that one is displayed when
the user goes to /admin/login specifically.

Here is the one I put in my sidebars, which appears on every page
unless the user is logged in. And no I don't have this in a partial
either, but I probably should...

<div id="login_form">
  <% form_tag(:controller => "account", :action => "login") do %>
    <label for="login" class="lfield">Username</label>
    <%= text_field_tag(:login, params[:login], :size => 12, :class =>
"lfield") %>
    <p/>
    <label for="password" class="lfield">Password</label>
    <%= password_field_tag(:password, params[:password], :size => 12,
:class => "lfield") %>
    <p/>
    <%= submit_tag "Log In", :class => "submit_button" %>
  <% end %>
</div><!-- login_form -->

This renders into:

<div id="login_form">
   <form action="/account/login" method="post">
        <label for="login" class="lfield">Username</label>
        <input class="lfield" id="login" name="login" size="12" type="text" />
        <p/>
        <label for="password" class="lfield">Password</label>
        <input class="lfield" id="password" name="password" size="12"
type="password" />
        <p/>
        <input class="submit_button" name="commit" type="submit"
value="Log In" />
    </form>
</div><!-- login_form -->

It turns out that I had been requiring the login method in a before_filter,
which is why my application was breaking when I moved the login method back
to the account controller. It works now... I'm able to log in from different
pages, and it also fixed my session problem :slight_smile:

Thanks so much for your help!

Michael Graff-5 wrote: