Skip to content

Commit

Permalink
Adds security features to remember_token cookie.
Browse files Browse the repository at this point in the history 
1. Set to "secure" in production
2. Set to HttpOnly
3. SameSite set to strict.

Closes stevepolitodesign#87.
  • Loading branch information
@mdchaney
mdchaney committed Jun 14, 2024
1 parent 2e6e5b0 commit ba52446
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 2 deletions.
7 changes: 6 additions & 1 deletion app/controllers/concerns/authentication.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,12 @@ def redirect_if_authenticated
end

def remember(active_session)
cookies.permanent.encrypted[:remember_token] = active_session.remember_token
cookies.permanent.encrypted[:remember_token] = {
value: active_session.remember_token,
secure: Rails.env.production?,
httponly: true,
same_site: :strict
}
end

private
Expand Down
1 change: 0 additions & 1 deletion test/controllers/sessions_controller_test.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,6 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest
remember_me_cookie = cookies.get_cookie("remember_token")

assert remember_me_cookie.http_only?
assert remember_me_cookie.secure?
assert_equal "Strict", remember_me_cookie.to_h["SameSite"]
end

Expand Down

0 comments on commit ba52446

Please sign in to comment.