What is the purpose of the user_credentials cookie? Why store that in a cookie and in the Rails session?

[myers]

I'm confused as to the purpose of storing user_credentials twice in cookies in a typical Rails app using Cookie based sessions. Once a user is logged there is both authlogic data in rails session cookie, which is encrypted and signed, and also in replay-attackable user_credentials cookie. Why have both? Shouldn't there be an option to turn off cookies in Authlogic?

This is coming up in a strange situation where users are missing their rails session cookie (and thus their CSRF token) but are "logged in" because of the user_credentials cookie.

Also, in digging into this I realized that we use bugsnag that it should be configured to filter our the user_credentials cookie, since they can be used to login as the given user. Perhaps the README.md needs to be updated to help folks realize what cookie's are being used and might need to be filtered out.

[myers]

The cookie is only there when you use the remember_me feature. You can't use Rails session cookies because they are session cookies that go away when the browser is closed.

[jaredbeck]

Also, in digging into this I realized that we use bugsnag that it should be configured to filter our the user_credentials cookie, since they can be used to login as the given user. Perhaps the README.md needs to be updated to help folks realize what cookie's are being used and might need to be filtered out.

Hi Myers, Such an addition to the readme would be welcome, thanks. It doesn't quite fit under section 5 "addons" so maybe a new section "integrations"?