Remember me & timeout #308

Closed
wants to merge 1 commit into
from

9 participants

@jeyb

Allow remember_me to be set alongside of timeout, with remember_me taking precedence. @slavik112211 implemented this a long-while back but I don't see a pull request for it. Not sure why, if you see an issue with the work let me know and I can adjust/fix.

I've tested this manually as well and it works as expected, with remember me setting taking precedence over timeout.

There are a few reported issues this fixes, #126, #130 and #134.

@jeyb jeyb Allow remember_me to be set alongside of timeout, with remember_me ta…
…king precedence. Pulled from slavik112211/authlogic.
bb5c8a8
@maletor

👍

@sailing

+1 Would love to see this.

@jefmathiot jefmathiot added a commit to servebox/authlogic that referenced this pull request Jun 24, 2012
@jefmathiot jefmathiot Manually integrated changes from pull request #308 (remember me vs. t…
…imeout)
a95d8c0
@binarylogic
Owner

Thanks, this has been pulled in

@phuibonhoa

I believe there is a vulnerability in storing the remember_me timeout in the cookie. A user can edit this timeout on the cookie and stay authenticated indefinitely. Doesn't the timeout need to be handled server-side (by adding a remember_expires_at or similar type of column)

@tiegz
Collaborator

@phuibonhoa just saw your comment here-- I added a PR a while ago to set this cookie as a signed cookie, which would require the app's secret token to set/read the persistence cookie: #342 . I think that would make this feature more secure?

@md5

I believe this issue can be closed. I see a remember_me_expired? method in master. cf. https://github.com/binarylogic/authlogic/blob/423f53a9c604c95c634b00d7a05bb6382fe28119/lib/authlogic/session/cookies.rb#L123

@tiegz
Collaborator

Thanks @md5

@tiegz tiegz closed this May 21, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment