I have an odd bug on one of my sites. I use authlogic for all the login-related stuff, including a password reset process which works as follows:
First, the user types in their email address and hits a button to send a reset password link. In the subsequent action i do this:
user.reset_perishable_token!
user.host = request.host_with_port
token = user.perishable_token
'token' goes into a link in the email they are then sent, which has this format:
<do开发者_StackOverflow社区main name>/users/edit_password?id=1670&token=y1j6k__imXOajyNGq8DN
where id is the user's id and token is the token i just generated.
On the action that the email link points to, i do this:
@user = User.find_using_perishable_token(params[:token], 1.day)
And on the basis of whether @user is blank or not, i decide whether the token is valid and they can go ahead and change their password. Generally that's working fine, but i have a problem where if someone generates the reset email in one browser, then recieves the email in another browser and clicks on it (thus opening the 'edit_password' page in browser B), the link is decided to be invalid.
I can't think why the browser would make a difference. I thought of it being due to system time maybe but that would be the same in both browsers right?
Grateful for any thoughts - max
Shouldnt make a difference. Be sure that you dont save the user after sending the perishable token - the perishable token will be changed on saving.
精彩评论