Authlogic: how to log in a user behind the scenes without knowing their password

I use Authlogic to handle login/authentication/sessions etc and I'm using paypal to handle my payment for subscription to my site. For users whose trial has expired, i'd like to log them in automatically after they go through the paypal payment process, but i can't work out how to do this without a password. My flow is thus:

• expired user logs in
• their trial has expired, so i push them to the subscribe page, keeping track of who they are via their unique persistence_token field, which i put in a param which gets sent on to paypal.
• when i get the payment notification from paypal, i get their token as well, so i know which user has paid, and i amend their account accordingly.
• when they have paid in paypal, the button to send them back to my site has the unique token of their order, so i can tell that it is the person who has just paid that is going to that 'subscription complete' page rather than anyone just typing in the url to their browser.
• when they return from paypal to the site, they are still logged out, and they have to go through开发者_运维百科 the login/registration process.

In the above situation, because i get the order token in the params to my 'subscription_complete' page, i know that the user is the same one who has just paid, and so i have enough information to trust them, as if they had logged in. So, i would like to log them in automatically, ie create a UserSession record for them. But, the problem is that i don't know their password (because passwords are 1-way encrypted), and i need the passsword to create the user_session.

So, my question is: if i trust the current user, but don't know their password, can i still log them in anyway? If so, how?

I've used UserSession.create(@user) before. Doesn't this work for you?