TW-40 #comment Only remember user when there is a cookie AND it belon…

…gs to the user.
thinkwell · Mar 2, 2015 · 3065e3e · 3065e3e
1 parent f967d22
commit 3065e3e
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/lib/authlogic_crowd/session.rb b/lib/authlogic_crowd/session.rb
@@ -404,10 +404,12 @@ def crowd_cookie_info
       end
 
       # As Authlogic creates a cookie to know if the user wants to be remembered
-      # returns true only if the cookie exists.
+      # returns true only if the cookie exists and it belongs to the logged in user.
       # For cookie_key see Authlogic::Session::Cookies::Config
       def should_remember_user?
-        controller && controller.cookies[cookie_key].present?
+        return false unless controller && controller.cookies[cookie_key].present?
+        credentials_from_cookie = controller.cookies[cookie_key].split("::")[1]
+        credentials_from_cookie == controller.session[cookie_key]
       end
 
       def refresh_user_token