Adds security features to remember_token cookie.

mdchaney · mdchaney · commit ba5244614f85 · 2024-06-14T11:49:30.000-05:00
1. Set to "secure" in production 2. Set to HttpOnly 3. SameSite set to strict. Closes stevepolitodesign#87.
diff --git a/app/controllers/concerns/authentication.rb b/app/controllers/concerns/authentication.rb
@@ -35,7 +35,12 @@ def redirect_if_authenticated
   end
 
   def remember(active_session)
-    cookies.permanent.encrypted[:remember_token] = active_session.remember_token
+    cookies.permanent.encrypted[:remember_token] = {
+      value: active_session.remember_token,
+      secure: Rails.env.production?,
+      httponly: true,
+      same_site: :strict
+    }
   end
 
   private
diff --git a/test/controllers/sessions_controller_test.rb b/test/controllers/sessions_controller_test.rb
@@ -48,7 +48,6 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest
     remember_me_cookie = cookies.get_cookie("remember_token")
 
     assert remember_me_cookie.http_only?
-    assert remember_me_cookie.secure?
     assert_equal "Strict", remember_me_cookie.to_h["SameSite"]
   end
 
