Allow remember_me to be set alongside of timeout, with remember_me taking precedence. @slavik112211 implemented this a long-while back but I don't see a pull request for it. Not sure why, if you see an issue with the work let me know and I can adjust/fix.
I've tested this manually as well and it works as expected, with remember me setting taking precedence over timeout.
There are a few reported issues this fixes, #126, #130 and #134.
Allow remember_me to be set alongside of timeout, with remember_me ta…
…king precedence. Pulled from slavik112211/authlogic.
+1 Would love to see this.
Manually integrated changes from pull request #308 (remember me vs. t…
Thanks, this has been pulled in
I believe there is a vulnerability in storing the remember_me timeout in the cookie. A user can edit this timeout on the cookie and stay authenticated indefinitely. Doesn't the timeout need to be handled server-side (by adding a remember_expires_at or similar type of column)
@phuibonhoa just saw your comment here-- I added a PR a while ago to set this cookie as a signed cookie, which would require the app's secret token to set/read the persistence cookie: #342 . I think that would make this feature more secure?
I believe this issue can be closed. I see a remember_me_expired? method in master. cf. https://github.com/binarylogic/authlogic/blob/423f53a9c604c95c634b00d7a05bb6382fe28119/lib/authlogic/session/cookies.rb#L123