rememberable cookie now is httponly by default
This commit is contained in:
parent
1b43cb5203
commit
af1295284c
|
@ -6,6 +6,7 @@
|
||||||
* rails g destroy works properly with devise generators (by github.com/andmej)
|
* rails g destroy works properly with devise generators (by github.com/andmej)
|
||||||
* recall options is now passed forward by hooks (by github.com/siong1987)
|
* recall options is now passed forward by hooks (by github.com/siong1987)
|
||||||
* before_failure callbacks should work on test helpers (by github.com/twinge)
|
* before_failure callbacks should work on test helpers (by github.com/twinge)
|
||||||
|
* rememberable cookie now is httponly by default (by github.com/JamesFerguson)
|
||||||
|
|
||||||
* deprecations
|
* deprecations
|
||||||
* Deprecated anybody_signed_in? in favor of signed_in? (by github.com/gavinhughes)
|
* Deprecated anybody_signed_in? in favor of signed_in? (by github.com/gavinhughes)
|
||||||
|
|
|
@ -18,11 +18,14 @@ module Devise
|
||||||
|
|
||||||
def cookie_values(resource)
|
def cookie_values(resource)
|
||||||
options = Rails.configuration.session_options.slice(:path, :domain, :secure)
|
options = Rails.configuration.session_options.slice(:path, :domain, :secure)
|
||||||
|
options[:httponly] = true
|
||||||
|
|
||||||
options.merge!(resource.cookie_options)
|
options.merge!(resource.cookie_options)
|
||||||
options.merge!(
|
options.merge!(
|
||||||
:value => resource.class.serialize_into_cookie(resource),
|
:value => resource.class.serialize_into_cookie(resource),
|
||||||
:expires => resource.remember_expires_at
|
:expires => resource.remember_expires_at
|
||||||
)
|
)
|
||||||
|
|
||||||
options
|
options
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -28,9 +28,9 @@ class RememberMeTest < ActionController::IntegrationTest
|
||||||
end
|
end
|
||||||
|
|
||||||
def cookie_expires(key)
|
def cookie_expires(key)
|
||||||
cookie = response.headers["Set-Cookie"].split("\n").grep(/^#{key}/).first
|
cookie = response.headers["Set-Cookie"].split("\n").grep(/^#{key}/).first
|
||||||
cookie.split(";").map(&:strip).grep(/^expires=/)
|
expires = cookie.split(";").map(&:strip).grep(/^expires=/).first
|
||||||
Time.parse($')
|
Time.parse(expires)
|
||||||
end
|
end
|
||||||
|
|
||||||
test 'do not remember the user if he has not checked remember me option' do
|
test 'do not remember the user if he has not checked remember me option' do
|
||||||
|
|
Loading…
Reference in New Issue