add Authlogic::Session::Cookies#sign_cookies config option #342

merged 1 commit into from Feb 28, 2014


None yet

3 participants

tiegz commented Jan 7, 2013


Add a config option to cookies to use Rails-style signed cookies for the remember_me cookie (disabled by default).


Just as an extra precaution to take, if desired.


When this switch is toggled, already-existing cookies in the wild will be invalidated.


@tiegz tiegz referenced this pull request Jan 7, 2013

Option to use signed cookies #331

drewish commented Jan 15, 2013

Seems like this might address #309

tiegz commented Jan 15, 2013

@drewish I'm in favor of locking down the remember-me cookie from replay attacks, but currently you could do that by setting the secure option to true and calling reset_persistence_token in your own app more often. Unfortunately I think the only thing my patch does is make the brute-force scenario harder (which is already very difficult to do).

Also, aside from replay attacks, someone could currently write their own remember-me cookies (pretend to be any user) if they got a hold of your database. This patch would prevent that situation too (as long as they don't have your secret token).

@tiegz tiegz referenced this pull request Feb 20, 2014

Remember me & timeout #308


I like it, merged

@binarylogic binarylogic merged commit 881102d into binarylogic:master Feb 28, 2014
tiegz commented Feb 28, 2014

@yourewelcome thanks! Fwiw, I recently noticed that Devise uses signed cookies too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment