IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

Sign the auth token cookie and make it httpOnly

Browse Source
This commit is contained in:
tms
2013-02-20 17:24:19 -05:00
parent e914222cb3
commit 5616fdc475
3 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
lib/current_user.rb
View File

@@ -2,7 +2,7 @@ module CurrentUser
def self.lookup_from_env(env)
request = Rack::Request.new(env)
auth_token = request.cookies["_t"]
auth_token = request.cookies[:_t]
user = nil
if auth_token && auth_token.length == 32
user = User.where(auth_token: auth_token).first
@@ -16,7 +16,7 @@ module CurrentUser
if session[:current_user_id].blank?
# maybe we have a cookie?
auth_token = cookies[:_t]
auth_token = cookies.signed[:_t]
if auth_token && auth_token.length == 32
@current_user = User.where(auth_token: auth_token).first
session[:current_user_id] = @current_user.id if @current_user