sign_out not working with passenger

[kabriel]

I've just integrated devise_facebook_connect with my site and saw a very strange behavior. When i login via facebook connect some data is held around (not sure what yet) and if i go to a new browser on a new machine, it will auto log me in as the last user to log into my site, without any credentials or anything. This also manifests itself on the original browser if i try to log out, which does log me out of facebook and clears the facebooker session and tells me i have successfully logged out, but will then auto log me in as the last user to log into the site. Even if i clear my browser cookies and return to the site, it again logs me in as the last user to hit the site. Note this does not happen with standard devise accounts, those still work on my site just fine and i can log in/out of them without trouble.

Now i couldn't reproduce this in my development environment (mongrel) but in production i'm using nginx+passenger (on EngineYard). When i then switched production to nginx+mongrel everything works fine.

Has anyone else seen this? or by chance is there a bug in devise_facebook_connectable that it is storing some data somewhere that passenger is holding onto but that mongrel does not?

[grimen]

I don't know actually, I just used it with mongrel - and in production Heroku (not sure what they run).

[szimek]

There's already another opened issue about exactly the same problem and hopefully a solution for it as well: http://github.com/grimen/devise_facebook_connectable/issues#issue/15/comment/136334.

I've got this fix in my branch along with commits from joshk that seem to solve some problems with the latest (1.0.6) devise gem.

[kabriel]

ok, i didn' t catch from the subject that it was the same issue but it looks like it could be. the only solution stated on that issue is use mongrel, but not a fix. If your change does fix it hopefully we can see that in the master soon!

[szimek]

The cause of it is (most likely) that Facebooker stores the session in Thread.current - see http://groups.google.com/group/phusion-passenger/browse_thread/thread/e739862c4097acb1. Here's the patch szimek/devise_facebook_connectable@ce33308a58779b8393b0125b6b1499425f3be5bc based on the comment I linked to previously.

[grimen]

Yea, I think I had a discussion about this before...remembering Passenger is not fully thread-safe. Could be fixed by using session[:facebook_user] as well I believe.

[grimen]

SInce I updated to Devise 1.0.6 + Warden 0.10.3 I've got this issue on Heroku as well. Really confusing: Not sure if Heroku did something to their server setup or the spooks is going on in Warden (or Devise) - I just changed a route so should not be any difference since before when it worked all good on heroku. =S Will have a break now for sleep, and hopefully get around it tomorrow. -_-

[szimek]

The patch mentioned in my previous post fixed the problem for me.

[szimek]

This issue can most likely be closed now.

[grimen]

OK, thanks - closing.

[mattvanhorn]

I have the code from that patch on my site, but I am still getting users logged in as other people. The patch may solve the logout problem, but I'm not sure it fixes the cross-thread login issue.

[szimek]

In theory it should work... The first before filter - expired_session_hack - resets the session stored in the current thread to nil and then the second filter - set_facebook_session - sets it again. What server are you using?

[mattvanhorn]

Using Apache/Passenger 2.2.11, facebooker-1.0.70, devise_facebook_connectable-0.2.1