[LRUG] Authentication by cookie
Andrew Stewart
boss at airbladesoftware.com
Mon Feb 7 04:30:00 PST 2011
Hola El Rug,
I am wondering what I should store in a tamper-proof cookie to remember a user across browser sessions. All I want to store is the user's id, much like this (Rails 3):
cookies.signed[:remember_me] = user.id
However every example I have seen stores the user's id and their salt/password-hash. I don't see, though, why we need the salt: the cookie is tamper-proof and the user's id isn't a secret.
According to this blog post it's so the cookie is invalidated when the user changes their password.
http://m.onkey.org/signed-and-permanent-cookies-in-rails-3
Again, though, I don't see why we would want to invalidate the cookie in this situation.
Usually when I find myself saying, "Everybody else is wrong, it's just me that's right," I carry on happily. However because this is authentication code I thought I should consult El Rug ;)
Thanks in advance,
Andy Stewart
-------
http://airbladesoftware.com
More information about the Chat
mailing list