You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm confused as to the purpose of storing user_credentials twice in cookies in a typical Rails app using Cookie based sessions. Once a user is logged there is both authlogic data in rails session cookie, which is encrypted and signed, and also in replay-attackable user_credentials cookie. Why have both? Shouldn't there be an option to turn off cookies in Authlogic?
This is coming up in a strange situation where users are missing their rails session cookie (and thus their CSRF token) but are "logged in" because of the user_credentials cookie.
Also, in digging into this I realized that we use bugsnag that it should be configured to filter our the user_credentials cookie, since they can be used to login as the given user. Perhaps the README.md needs to be updated to help folks realize what cookie's are being used and might need to be filtered out.
The text was updated successfully, but these errors were encountered:
The cookie is only there when you use the remember_me feature. You can't use Rails session cookies because they are session cookies that go away when the browser is closed.
Also, in digging into this I realized that we use bugsnag that it should be configured to filter our the user_credentials cookie, since they can be used to login as the given user. Perhaps the README.md needs to be updated to help folks realize what cookie's are being used and might need to be filtered out.
Hi Myers, Such an addition to the readme would be welcome, thanks. It doesn't quite fit under section 5 "addons" so maybe a new section "integrations"?
I'm confused as to the purpose of storing user_credentials twice in cookies in a typical Rails app using Cookie based sessions. Once a user is logged there is both authlogic data in rails session cookie, which is encrypted and signed, and also in replay-attackable
user_credentials
cookie. Why have both? Shouldn't there be an option to turn off cookies in Authlogic?This is coming up in a strange situation where users are missing their rails session cookie (and thus their CSRF token) but are "logged in" because of the user_credentials cookie.
Also, in digging into this I realized that we use bugsnag that it should be configured to filter our the
user_credentials
cookie, since they can be used to login as the given user. Perhaps the README.md needs to be updated to help folks realize what cookie's are being used and might need to be filtered out.The text was updated successfully, but these errors were encountered: