rails-authentication-from-scratch icon indicating copy to clipboard operation
rails-authentication-from-scratch copied to clipboard
verified publisher icon stevepolitodesign

Limit remember cookie to httponly

Open stevepolitodesign opened this issue 3 years ago • 1 comments

Before

https://github.com/stevepolitodesign/rails-authentication-from-scratch/blob/b3e253fe2986d5672ba50f4ca23d4af038d5e8b1/app/controllers/concerns/authentication.rb#L37-L39

After

def remember(active_session)
  cookies.permanent.encrypted[:remember_token] = { value: active_session.remember_token, httponly: true }
end

Issues

set httponly cookie

stevepolitodesign avatar Feb 25 '22 20:02 stevepolitodesign

We can update this test to include the following:

https://github.com/stevepolitodesign/rails-authentication-from-scratch/blob/b3e253fe2986d5672ba50f4ca23d4af038d5e8b1/test/controllers/sessions_controller_test.rb#L34-L47

remember_me_cookie = cookies.get_cookie("remember_token")

assert remember_me_cookie.http_only?
assert remember_me_cookie.secure?
assert_equal "Strict", remember_me_cookie.to_h["SameSite"]

stevepolitodesign avatar Mar 17 '23 18:03 stevepolitodesign