Limit remember cookie to httponly #87

stevepolitodesign · 2022-02-25T20:41:33Z

Before

rails-authentication-from-scratch/app/controllers/concerns/authentication.rb

Lines 37 to 39 in b3e253f

    
           def remember(active_session) 
        
             cookies.permanent.encrypted[:remember_token] = active_session.remember_token 
        
           end

After

def remember(active_session)
  cookies.permanent.encrypted[:remember_token] = { value: active_session.remember_token, httponly: true }
end

Issues

set httponly cookie

stevepolitodesign · 2023-03-17T18:19:03Z

We can update this test to include the following:

rails-authentication-from-scratch/test/controllers/sessions_controller_test.rb

Lines 34 to 47 in b3e253f

    
           test "should remember user when logging in" do 
        
             assert_nil cookies[:remember_token] 
        
             post login_path, params: { 
        
               user: { 
        
                 email: @confirmed_user.email, 
        
                 password: @confirmed_user.password, 
        
                 remember_me: 1 
        
               } 
        
             } 
        
             assert_not_nil current_user 
        
             assert_not_nil cookies[:remember_token] 
        
           end

remember_me_cookie = cookies.get_cookie("remember_token")

assert remember_me_cookie.http_only?
assert remember_me_cookie.secure?
assert_equal "Strict", remember_me_cookie.to_h["SameSite"]

Asserts cookie is http_only, secure, and same-site is "strict". Closes stevepolitodesign#87.

1. Set to "secure" in production 2. Set to HttpOnly 3. SameSite set to strict. Closes stevepolitodesign#87.

stevepolitodesign self-assigned this Feb 25, 2022

stevepolitodesign removed their assignment Mar 17, 2023

mdchaney added a commit to mdchaney/rails-authentication-from-scratch that referenced this issue Jun 12, 2024

Adds assertions for remember_me cookie.

2e6e5b0

Asserts cookie is http_only, secure, and same-site is "strict". Closes stevepolitodesign#87.

mdchaney mentioned this issue Jun 12, 2024

Add remember me cookie assertions #97

Closed

mdchaney added a commit to mdchaney/rails-authentication-from-scratch that referenced this issue Jun 14, 2024

Adds security features to remember_token cookie.

ba52446

1. Set to "secure" in production 2. Set to HttpOnly 3. SameSite set to strict. Closes stevepolitodesign#87.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Limit remember cookie to httponly #87

Limit remember cookie to httponly #87

stevepolitodesign commented Feb 25, 2022 •

edited

Loading

stevepolitodesign commented Mar 17, 2023

Limit remember cookie to httponly #87

Limit remember cookie to httponly #87

Comments

stevepolitodesign commented Feb 25, 2022 • edited Loading

Before

After

Issues

stevepolitodesign commented Mar 17, 2023

stevepolitodesign commented Feb 25, 2022 •

edited

Loading