Losing session variable with acts_as_authenticated

rubyonrails-talk
1

Hi,

I initially set up acts_as_authenticated to require a user login before accessing and updating pages on my recipe site. This worked fine with no problems with the user session.

Now, I have changed the setup so that a few pages are available to the public, while others that involve create/update/delete actions require a user that is logged in. So I created a login form as a partial to include on every single page. The sign in form displays if not logged in; if the user is logged in it will display a welcome message to the user.

Now I'm encountering problems where my session[:user] variable gets reset to nil whenever I do a post request. I still have the session, but I just lose the variable, and find myself having to explicitly send the user ID as hidden input and re-assign the session[:user] variable. Has anyone encountered this problem, or have any idea why this would be happening?

Thanks in advance.

2

I am using exactly this trick on my http://eq2guild.flame.org/ site, and have experienced no problems with it.

Can you compare the html code on that opening page with what you have in yours? I can send you my controller snipit if it will help.

--Michael

3

Hi Michael,

Thanks for your reply. Our login forms are pretty much the same except that your form calls on the /account/login action, whereas mine calls on /recipe (I had put my login action in my application controller so that it would be accessible to all my controllers).

This is how I generated it in my view: <% form_for :login, login do %>

It works on my /recipe page, but I just recently noticed that I can't log in

Aside from that issue, it would be great if I could take a look at your controller code. To me, it doesn't really seem like any of my update/edit actions for recipes explicitly change any session variables (except when I have to re-assign my session[:user] variable to keep the user logged in).

Michelle

Michael Graff-5 wrote:

4

Wait, you have your login method in all your controllers? May I ask why? :slight_smile:

It seems that having one definite action to log one in is a very good thing. That is, /login or /account/login or /log_me_in should be the only controller/action with a login method. After all, you don't log into a recipe, do you? :slight_smile:

If you require a user to log in before they do certain operations, that's also easily done:

class ToonController < ApplicationController   before_filter :login_required, :except => [ :list,                                               :show,                                               :show_avatar,                                               :classes,                                               :tradeskills ]

Or, in each method:

  def new     if !logged_in?       flash[:notice] = 'You cannot create characters without logging in.'       redirect_to :action => "list"     else       @toon = Toon.new     end   end

My account controller:

class AccountController < ApplicationController   def login     return unless request.post?     self.current_user = User.authenticate(params[:login], params[:password])     if logged_in?       redirect_back_or_default(:controller => 'welcome', :action => 'index')       flash[:notice] = "Logged in successfully"     end   end

  def logout     cookies.delete :auth_token     reset_session     flash[:notice] = "You have been logged out."     redirect_back_or_default(:controller => 'welcome', :action => 'index')   end

As I mentioned, I'm using a modified acts_as_authenticated plugin.

--Michael

5

Sorry, what I mean is that I had put my login method inside my application controller so it's accessible to the rest of my controllers. If I leave my login method in the account controller, my other controllers throw an exception with the error "undefined method login".

My login and logout methods otherwise look similar to yours (they're unmodified from acts_as_authenticated).

This is how I'm rendering the login box in the main layout:

<%= render :partial => 'account/login', :locals => { :current_user => @current_user } %>

_login.rhtml (I just changed it so that login is now back in the account controller):

<% if flash[:notice] %>   <%= flash[:notice] %> <% end %>

<% if logged_in? %>   <%= 'Welcome, ' + current_user.first_name + "! &raquo; " %>   <%= link_to 'Logout', :controller => 'account', :action => 'logout' %> <% else %>   <% form_tag "/account/login" method="post" %>   <p><label for="login">Login</label><br/>   <%= text_field_tag 'login', login %></p>

  <p><label for="password">Password</label><br/>   <%= password_field_tag 'password' %></p>      <p><label for="remember_me">Remember me:</label>   <%= check_box_tag 'remember_me' %></p>      <p><%= submit_tag 'Log in' %></p>   <% end %> <% end %>

Michael Graff-5 wrote:

6

Sorry, what I mean is that I had put my login method inside my application controller so it's accessible to the rest of my controllers. If I leave my login method in the account controller, my other controllers throw an exception with the error "undefined method login".

You should never have "login" run via the path /recipe/login, or /book/login, etc. probably -- you always want /account/login -- so login should be in account_controller.rb only. If you put it in app/controllers/application.rb, I believe it can be accessed via /recipe/login, etc.

If you need to refer to it inside a different controller, you can always redirect to the login page:

  redirect_to :controller => :account, :action => :login

This is how I'm rendering the login box in the main layout:

What you did looks basically the same as mine...

Here's my app/views/account/login.rhtml file:

<div class="contentbody"> <% form_tag do -%> <p><label for="login">Login</label><br/> <%= text_field_tag 'login' %></p> <p><label for="password">Password</label><br/> <%= password_field_tag 'password' %></p> <p><%= submit_tag 'Log in' %></p> <% end -%> </div><!-- contentbody -->

This renders to:

<div class="contentbody"> <form action="/account/login" method="post"><p><label for="login">Login</label><br/> <input id="login" name="login" type="text" /></p> <p><label for="password">Password</label><br/> <input id="password" name="password" type="password" /></p> <p><input name="commit" type="submit" value="Log in" /></p> </form></div><!-- contentbody -->

7

I'm wondering why you're login form is in a login.rhtml rather than a partial named _login.rhtml? When I try the <% form_tag do -%> it renders the action to go to the page that I'm current on, eg. /recipe/list.

Basically, I'm trying to get the layout to be just like yours: login form included onto each page as a partial. But when I put the login method back into the application, my recipe controller is complaining about an undefined login method. Incidentally, trying to access the path /recipe/login results in an error because I have no layout page for that.

Michael Graff-5 wrote:

8

My bad. I have two login forms actually -- that one is displayed when the user goes to /admin/login specifically.

Here is the one I put in my sidebars, which appears on every page unless the user is logged in. And no I don't have this in a partial either, but I probably should...

<div id="login_form">   <% form_tag(:controller => "account", :action => "login") do %>     <label for="login" class="lfield">Username</label>     <%= text_field_tag(:login, params[:login], :size => 12, :class => "lfield") %>     <p/>     <label for="password" class="lfield">Password</label>     <%= password_field_tag(:password, params[:password], :size => 12, :class => "lfield") %>     <p/>     <%= submit_tag "Log In", :class => "submit_button" %>   <% end %> </div><!-- login_form -->

This renders into:

<div id="login_form">    <form action="/account/login" method="post">         <label for="login" class="lfield">Username</label>         <input class="lfield" id="login" name="login" size="12" type="text" />         <p/>         <label for="password" class="lfield">Password</label>         <input class="lfield" id="password" name="password" size="12" type="password" />         <p/>         <input class="submit_button" name="commit" type="submit" value="Log In" />     </form> </div><!-- login_form -->

9

It turns out that I had been requiring the login method in a before_filter, which is why my application was breaking when I moved the login method back to the account controller. It works now... I'm able to log in from different pages, and it also fixed my session problem :slight_smile:

Thanks so much for your help!

Michael Graff-5 wrote: