Remember me & timeout #308

wants to merge 1 commit into

9 participants


Allow remember_me to be set alongside of timeout, with remember_me taking precedence. @slavik112211 implemented this a long-while back but I don't see a pull request for it. Not sure why, if you see an issue with the work let me know and I can adjust/fix.

I've tested this manually as well and it works as expected, with remember me setting taking precedence over timeout.

There are a few reported issues this fixes, #126, #130 and #134.

@jeyb jeyb Allow remember_me to be set alongside of timeout, with remember_me ta…
…king precedence. Pulled from slavik112211/authlogic.



+1 Would love to see this.

@jefmathiot jefmathiot added a commit to servebox/authlogic that referenced this pull request Jun 24, 2012
@jefmathiot jefmathiot Manually integrated changes from pull request #308 (remember me vs. t…

Thanks, this has been pulled in


I believe there is a vulnerability in storing the remember_me timeout in the cookie. A user can edit this timeout on the cookie and stay authenticated indefinitely. Doesn't the timeout need to be handled server-side (by adding a remember_expires_at or similar type of column)


@phuibonhoa just saw your comment here-- I added a PR a while ago to set this cookie as a signed cookie, which would require the app's secret token to set/read the persistence cookie: #342 . I think that would make this feature more secure?


I believe this issue can be closed. I see a remember_me_expired? method in master. cf.


Thanks @md5

@tiegz tiegz closed this May 21, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment