#150 new
Jurand

Security improvement

Reported by Jurand | October 3rd, 2009 @ 06:26 PM

Currently, there is no possibility to set "SECURE" and "HTTPONLY" flags to Authlogic's session cookie. To do this I had to monkey patch Authlogic plugin. Such a feature will be very handy. Below is my monkey patch:

module Authlogic
module Session

module Cookies
  module InstanceMethods
    def save_cookie
      controller.cookies[cookie_key] = {
        :value => "#{record.persistence_token}::#{record.send(record.class.primary_key)}",
        :expires => remember_me_until,
        :domain => controller.cookie_domain,
        :secure => true,
        :httponly => true
      }
    end
  end
end

end end

Comments and changes to this ticket

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

Object based authentication solution that handles all of the non sense for you. It's as easy as ActiveRecord is with a database.

Tags

Pages