3 files changed, 20 insertions, 5 deletions

diff --git a/app/controllers/account_controller.rb b/app/controllers/account_controller.rb
index 6bd7e02f5..842df6045 100644
--- a/app/controllers/account_controller.rb
+++ b/app/controllers/account_controller.rb
@@ -280,13 +280,13 @@ class AccountController < ApplicationController
   end
 
   def set_autologin_cookie(user)
-    token = Token.create(:user => user, :action => 'autologin')
+    token = user.generate_autologin_token
     secure = Redmine::Configuration['autologin_cookie_secure']
     if secure.nil?
       secure = request.ssl?
     end
     cookie_options = {
-      :value => token.value,
+      :value => token,
       :expires => 1.year.from_now,
       :path => (Redmine::Configuration['autologin_cookie_path'] || RedmineApp::Application.config.relative_url_root || '/'),
       :secure => secure,
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index d3f549e46..f7bc95a7d 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -168,9 +168,10 @@ class ApplicationController < ActionController::Base
   # Logs out current user
   def logout_user
     if User.current.logged?
-      cookies.delete(autologin_cookie_name)
-      Token.where(["user_id = ? AND action = ?", User.current.id, 'autologin']).delete_all
-      Token.where(["user_id = ? AND action = ? AND value = ?", User.current.id, 'session', session[:tk]]).delete_all
+      if autologin = cookies.delete(autologin_cookie_name)
+        User.current.delete_autologin_token(autologin)
+      end
+      User.current.delete_session_token(session[:tk])
       self.logged_user = nil
     end
   end
diff --git a/app/models/user.rb b/app/models/user.rb
index 815a6d343..f7a9c33bd 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -417,6 +417,20 @@ class User < Principal
     token.value
   end
 
+  def delete_session_token(value)
+    Token.where(:user_id => id, :action => 'session', :value => value).delete_all
+  end
+
+  # Generates a new autologin token and returns its value
+  def generate_autologin_token
+    token = Token.create!(:user_id => id, :action => 'autologin')
+    token.value
+  end
+
+  def delete_autologin_token(value)
+    Token.where(:user_id => id, :action => 'autologin', :value => value).delete_all
+  end
+  
   # Returns true if token is a valid session token for the user whose id is user_id
   def self.verify_session_token(user_id, token)
     return false if user_id.blank? || token.blank?