Remember me & timeout #308

wants to merge 1 commit into


None yet
9 participants

jeyb commented Apr 14, 2012

Allow remember_me to be set alongside of timeout, with remember_me taking precedence. @slavik112211 implemented this a long-while back but I don't see a pull request for it. Not sure why, if you see an issue with the work let me know and I can adjust/fix.

I've tested this manually as well and it works as expected, with remember me setting taking precedence over timeout.

There are a few reported issues this fixes, #126, #130 and #134.

@jeyb jeyb Allow remember_me to be set alongside of timeout, with remember_me ta…
…king precedence. Pulled from slavik112211/authlogic.

maletor commented Apr 27, 2012


sailing commented Apr 30, 2012

+1 Would love to see this.


jefmathiot commented Jun 16, 2012


@jefmathiot jefmathiot added a commit to servebox/authlogic that referenced this pull request Jun 24, 2012

@jefmathiot jefmathiot Manually integrated changes from pull request #308 (remember me vs. t…

binarylogic commented Dec 7, 2012

Thanks, this has been pulled in

I believe there is a vulnerability in storing the remember_me timeout in the cookie. A user can edit this timeout on the cookie and stay authenticated indefinitely. Doesn't the timeout need to be handled server-side (by adding a remember_expires_at or similar type of column)


tiegz commented Feb 20, 2014

@phuibonhoa just saw your comment here-- I added a PR a while ago to set this cookie as a signed cookie, which would require the app's secret token to set/read the persistence cookie: #342 . I think that would make this feature more secure?

md5 commented May 20, 2015

I believe this issue can be closed. I see a remember_me_expired? method in master. cf.


tiegz commented May 21, 2015

Thanks @md5

tiegz closed this May 21, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment