rememberable cookie now is httponly by default
This commit is contained in:
parent
1b43cb5203
commit
af1295284c
|
@ -6,6 +6,7 @@
|
|||
* rails g destroy works properly with devise generators (by github.com/andmej)
|
||||
* recall options is now passed forward by hooks (by github.com/siong1987)
|
||||
* before_failure callbacks should work on test helpers (by github.com/twinge)
|
||||
* rememberable cookie now is httponly by default (by github.com/JamesFerguson)
|
||||
|
||||
* deprecations
|
||||
* Deprecated anybody_signed_in? in favor of signed_in? (by github.com/gavinhughes)
|
||||
|
|
|
@ -18,11 +18,14 @@ module Devise
|
|||
|
||||
def cookie_values(resource)
|
||||
options = Rails.configuration.session_options.slice(:path, :domain, :secure)
|
||||
options[:httponly] = true
|
||||
|
||||
options.merge!(resource.cookie_options)
|
||||
options.merge!(
|
||||
:value => resource.class.serialize_into_cookie(resource),
|
||||
:expires => resource.remember_expires_at
|
||||
)
|
||||
|
||||
options
|
||||
end
|
||||
|
||||
|
|
|
@ -28,9 +28,9 @@ class RememberMeTest < ActionController::IntegrationTest
|
|||
end
|
||||
|
||||
def cookie_expires(key)
|
||||
cookie = response.headers["Set-Cookie"].split("\n").grep(/^#{key}/).first
|
||||
cookie.split(";").map(&:strip).grep(/^expires=/)
|
||||
Time.parse($')
|
||||
cookie = response.headers["Set-Cookie"].split("\n").grep(/^#{key}/).first
|
||||
expires = cookie.split(";").map(&:strip).grep(/^expires=/).first
|
||||
Time.parse(expires)
|
||||
end
|
||||
|
||||
test 'do not remember the user if he has not checked remember me option' do
|
||||
|
|
Loading…
Reference in New Issue