Add Documentation For Duration Support & Expiry Meta Data Added to Signed / Encrypted Cookies #30407
Conversation
|
(@rails-bot has picked a reviewer for you, use r? to override) |
|
r? @kaspth |
| @@ -100,7 +103,7 @@ def cookies_digest | |||
| # cookies.permanent[:login] = "XJ-122" | |||
| # | |||
| # # You can also chain these methods: | |||
| # cookies.permanent.signed[:login] = "XJ-122" | |||
| # cookies.signed.permanent[:login] = "XJ-122" | |||
| # | |||
There was a problem hiding this comment.
@kaspth Is it alright if I make this change? 😄
actionpack/CHANGELOG.md
Outdated
| @@ -1,3 +1,29 @@ | |||
| * Cookies `:expires` option supports `ActiveSupport::Duration` | |||
|
|
|||
| Earlier, we had to specify the cookie expiry using a time object. | |||
There was a problem hiding this comment.
We don't have to mention "Earlier", that's implied by us saying we've added something.
actionpack/CHANGELOG.md
Outdated
| But now, you can now specify when the cookie expires using an `ActiveSupport::Duration` | ||
| object as well. | ||
|
|
||
| For example, |
There was a problem hiding this comment.
No need to say for example, just let the text flow.
actionpack/CHANGELOG.md
Outdated
| For example, | ||
|
|
||
| cookies[:user_name] = { value: "assain", expires: 1.hour } | ||
| cookies[:oreo] = { value: "chocolate cookies", expires: 6.months } |
There was a problem hiding this comment.
Indent by 4 more spaces to highlight it as code.
actionpack/CHANGELOG.md
Outdated
| @@ -1,3 +1,29 @@ | |||
| * Cookies `:expires` option supports `ActiveSupport::Duration` | |||
actionpack/CHANGELOG.md
Outdated
|
|
||
| Earlier, we had to specify the cookie expiry using a time object. | ||
| But now, you can now specify when the cookie expires using an `ActiveSupport::Duration` | ||
| object as well. |
There was a problem hiding this comment.
Let's also just leave this out. It's clear enough from the example.
actionpack/CHANGELOG.md
Outdated
|
|
||
| *Assain Jaleel* | ||
|
|
||
| * Cookie expiry is enforced for signed/encrypted cookies |
There was a problem hiding this comment.
Enforce signed/encrypted cookie expiry server side.
actionpack/CHANGELOG.md
Outdated
|
|
||
| * Cookie expiry is enforced for signed/encrypted cookies | ||
|
|
||
| By tacking on expiry meta data to the cookie value and verifying them on receipt, |
There was a problem hiding this comment.
Let's reverse the 2 paragraphs to start with the security boost.
Rails can thwart attacks by malicious clients that don't honor a cookie's expiry.
It does so by stashing the expiry within the written cookie and relying on the
signing/encrypting to vouch that it hasn't been tampered with. Then on a
server-side read, the expiry is verified and any expired cookie is discarded.
This shit is a challenge to explain clearly in few words! So sorry for throwing your bit, but I really want us to be clear about this 😄
| # cookies[:login] = { value: "XJ-122", expires: 1.hour.from_now } | ||
| # cookies[:login] = { value: "XJ-122", expires: 1.hour } | ||
| # | ||
| # # Sets a cookie that expires at a specific time |
| # cookies[:login] = { value: "XJ-122", expires: 1.hour } | ||
| # | ||
| # # Sets a cookie that expires at a specific time | ||
| # cookies[:oreo] = { value: "chocolate cookies", expires: Time.utc(2020, 10, 15, 5) } |
There was a problem hiding this comment.
I'm not sure if we're allowed to reference a trademark in documentation/changelogs. While cute, I'd avoid it.
There was a problem hiding this comment.
😅 Got this inspiration from the Python community. I'll change that! 😄
| @@ -144,7 +147,7 @@ def cookies_digest | |||
| # * <tt>:tld_length</tt> - When using <tt>:domain => :all</tt>, this option can be used to explicitly | |||
| # set the TLD length when using a short (<= 3 character) domain that is being interpreted as part of a TLD. | |||
| # For example, to share cookies between user1.lvh.me and user2.lvh.me, set <tt>:tld_length</tt> to 1. | |||
| # * <tt>:expires</tt> - The time at which this cookie expires, as a \Time object. | |||
| # * <tt>:expires</tt> - The time at which this cookie expires, as a \Time or ActiveSupport::Duration object. | |||
There was a problem hiding this comment.
Will this link to the duration class when the doc is generated?
There was a problem hiding this comment.
Yes, the generated docs do indeed link to the duration class 😄
* Documentation for Duration support added to signed/encrypted cookies * Changelog entries for the duration support and expiry metadata added to cookies [ci skip]
|
@kaspth 😄 |
|
👍 |
This PR is an addendum to #30121 with the following additions:
:expiresoption of cookies.