add Authlogic::Session::Cookies#sign_cookies config option #342

Merged
merged 1 commit into from Feb 28, 2014

Projects

None yet

3 participants

@tiegz
Collaborator
tiegz commented Jan 7, 2013

WHAT

Add a config option to cookies to use Rails-style signed cookies for the remember_me cookie (disabled by default).

WHY

Just as an extra precaution to take, if desired.

GOTCHA

When this switch is toggled, already-existing cookies in the wild will be invalidated.

Thoughts?

@tiegz tiegz referenced this pull request Jan 7, 2013
Closed

Option to use signed cookies #331

@drewish
drewish commented Jan 15, 2013

Seems like this might address #309

@tiegz
Collaborator
tiegz commented Jan 15, 2013

@drewish I'm in favor of locking down the remember-me cookie from replay attacks, but currently you could do that by setting the secure option to true and calling reset_persistence_token in your own app more often. Unfortunately I think the only thing my patch does is make the brute-force scenario harder (which is already very difficult to do).

Also, aside from replay attacks, someone could currently write their own remember-me cookies (pretend to be any user) if they got a hold of your database. This patch would prevent that situation too (as long as they don't have your secret token).

@tiegz tiegz referenced this pull request Feb 20, 2014
Closed

Remember me & timeout #308

@binarylogic
Owner

I like it, merged

@binarylogic binarylogic merged commit 881102d into binarylogic:master Feb 28, 2014
@tiegz
Collaborator
tiegz commented Feb 28, 2014

@yourewelcome thanks! Fwiw, I recently noticed that Devise uses signed cookies too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment