I am using the perishable token magic in authlogic to do password resets. However, it seems that the token is getting reset when a user tries to log in and fails. This is because authlogic is incrementing failed login attempts on the user record. So if the user requests a new password and then tries to log in before resetting the password, the perishable token changes.
Any ideas to get around this?
So we eventually figured out a way around this.
First move was to disable the automatic perishable token handling:
#############
## Authlogic
acts_as_authentic do |c|
.....
c.disable_perishable_token_maintenance = true
.....
end
Then we created our own before_filter on user to mimic the same functionality as the auto handler but ignore changes to the failed_login_count field:
before_save :handle_perishable_token
def handle_perishable_token
unless failed_login_count_changed?
reset_perishable_token
end
end
This basically allows a user to fail at logging in and not reset the perishable token.