Session Nil with Rails 3.2.6 and authlogic 3.1.3

Question

On our production site, we are using rails 3.2.3 and authlogic 3.1.0. I am able to log into our rails application with any browser. We are currently moving to rails 3.2.6 as well as upgrading to use the asset pipeline, and as such we are also upgrading authlogic to 3.1.3.

The problem is, I am able to log into production which is running rails 3.2.3 and authlogic 3.1.0, but when upgrading to rails 3.2.6 and authlogic 3.1.3 locally on a feature branch, login on both google chrome and mobile safari are not working and it redirects due to a nil session, while login locally works in safari, and firefox. I have checked and cookies are being accepted on all testing devices. The sole issue appears to be between rails 3.2.3 / authlogic 3.1.0 and rails 3.2.6 / authlogic 3.1.3 as none of the codebase has changed other than gem versions.

UPDATE: In the server logs locally, on both google chrome and mobile safari I am getting: WARNING: Can't verify CSRF token authenticity, however on safari I am not. = csrf_meta_tag is in application.haml

Answer 1

After going back through code commits, the error stemmed back to a change in our session_store.rb initializer. The cookie domain was not being correctly set and as such, it was causing the session to be reset to nil by the browser rather than the app itself. After changing the following line in config/initializers/session_store.rb:

Application.config.session_store :cookie_store, :key => "_troopswap_session", :domain => '*domain.tld*'

to

Application.config.session_store :cookie_store, :key => "_troopswap_session", :domain => :all

the cookies are not being dropped and I am able to login.

Answer 2

Without diving into this too far, have you tried disabling the CSRF token verification feature.

With your Update you mentioned that the logs where warning about the CSRF, this would lead me to believe that rails of authlogic are flagging the request as forgery.