You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This commit was created on GitHub.com and signed with GitHub’s verified signature.
Changed
Browser session cookie now persists across browser restarts. The
encrypted session_token cookie is written with an explicit expires tied
to the BrowserSession#expires_at (previously a bare session cookie that was
cleared on full browser close, logging users out well before their session
actually expired). The cookie is also hardened with httponly: true, same_site: :lax, and secure following request.ssl?. Combined with a
host-configured session.browser_session_lifetime, this lets a "remember me
for N days" session survive closing and reopening the browser. Applies to
both the sign-in and remember-token re-auth paths.