Add a config option to cookies to use Rails-style signed cookies for the remember_me cookie (disabled by default).
Just as an extra precaution to take, if desired.
When this switch is toggled, already-existing cookies in the wild will be invalidated.
add Authlogic::Session::Cookies#sign_cookies config option
Seems like this might address #309
@drewish I'm in favor of locking down the remember-me cookie from replay attacks, but currently you could do that by setting the secure option to true and calling reset_persistence_token in your own app more often. Unfortunately I think the only thing my patch does is make the brute-force scenario harder (which is already very difficult to do).
Also, aside from replay attacks, someone could currently write their own remember-me cookies (pretend to be any user) if they got a hold of your database. This patch would prevent that situation too (as long as they don't have your secret token).
I like it, merged
@yourewelcome thanks! Fwiw, I recently noticed that Devise uses signed cookies too.