restful_authentication + nested resources => failed to authenticate

To all:

hi,

i used rails 1.2.6 + restful_authentication plugin

  #base_url
  base = '/v1'

  map.resources :users, :path_prefix => base

  map.resources :users do |users|
    users.resources :orders, :path_prefix => '/v1/users/:id'
  end

  map.resource :session

  map.signup '/signup', :controller => 'users', :action => 'new'
  map.login '/login', :controller => 'session', :action => 'new'
  map.logout '/logout', :controller => 'session', :action => 'destroy'

this is my routes.rb

when i first started my webrick, i tried to access localhost:3001/v1/
users/username1/orders
i was prompted for my username password. so it worked.

however when i type in localhost:3001/logout

and when i try localhost:3001/v1/users/username1/orders, it failed to
prompt me.

it showed

You have been logged out.
Listing orders

<data here>

<New order link here>

exposing data when I have already logged out.

May I ask what is wrong here?

Thanks!

Forgot to mention that i also installed http_authentication plugin as
well.

Somehow my session is not destroyed.

what have i gone wrong?

inside my application.rb

# Filters
  before_filter :authenticate

  # Sets @authenticated_user if the user provides valid
  # credentials. THis may be used to deny access or customise the view
  def authenticate
    @authenticated_user = nil
    authenticate_with_http_basic do |user, password|

      @authenticated_user = User.authenticate(user, password)
    end

    return true
  end

  #Filter for actions that _require_ authentication. Unless client
authenticated
  # as some user, takes over the request and sends a response code of
401.
  def must_authenticate
    if @authenticated_user && (@user_is_viewing_themselves != false)
      return true
    else
      request_http_basic_authentication
      return false
    end
  end

  # A filter for controllers beneath /users/{login}.
  # Transforms {login} into user ID. Sends a 404 response code
  # if the user does not exist.
  def must_specify_user
    if params[:id]
      @user = User.find_by_permalink(params[:id])
      if_found(@user) {params[:user_id] = @user.id}
      return false unless @user
    end
    # for limiting view to authenticated user
    @user_is_viewing_themselves = (@authenticated_user == @user)
    return true
  end

in my orders_controller i use before_filter :must_authenticate and
before_filter:must_specify_user