Implementation of “Remember me” in a Rails application

Question

My Rails-app has a sign in box with a \"remember me\" checkbox. Users who check that box should remain logged in even after closing their browser. I\'m keeping track of whet

Answer 1

I have spent a while thinking about this and came to some conclusions. Rails session cookies are tamper-proof by default, so you really don't have to worry about a cookie being modified on the client end.

Here is what I've done:

• Session cookie is set to be long-lived (6 months or so)
• Inside the session store
  • An 'expires on' date that is set to login + 24 hours
  • user id
  • Authenticated = true so I can allow for anonymous user sesssions (not dangerous because of the cookie tamper protection)
• I add a before_filter in the Application Controller that checks the 'expires on' part of the session.

When the user checks the "Remember Me" box, I just set the session[:expireson] date to be login + 2 weeks. No one can steal the cookie and stay logged in forever or masquerade as another user because the rails session cookie is tamper-proof.