login: remove 'remember' checkbox; make session cookies permanent.

Remove the "Remember" checkbox from the login page. Make session cookies permanent instead. Phase out legacy `user_name` and `password_hash` cookies. Previously a user's session cookies would be cleared whenever they closed their browser window, which would log them out of the site. To work around this, when the "Remember" box was checked on the login page (which it was by default), the user's name and password hash (!) would be stored in separate permanent cookies, which would be used to automatically log the user back in when their session cookies were cleared. We can avoid all of this just by making the session cookies themselves permanent.
2019-11-17 16:42:54 -06:00
parent 9b893db640
commit 320ff01e07
6 changed files with 12 additions and 37 deletions
--- a/app/controllers/maintenance/user/deletions_controller.rb
+++ b/app/controllers/maintenance/user/deletions_controller.rb
@@ -8,7 +8,7 @@ module Maintenance
        deletion = UserDeletion.new(CurrentUser.user, params[:password])
        deletion.delete!
        session.delete(:user_id)
-        cookies.delete(:cookie_password_hash)
+        cookies.delete(:password_hash)
        cookies.delete(:user_name)
        redirect_to(posts_path, :notice => "You are now logged out")
      end
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -7,7 +7,7 @@ class SessionsController < ApplicationController
  end

  def create
-    session_creator = SessionCreator.new(session, cookies, params[:name], params[:password], request.remote_ip, params[:remember], request.ssl?)
+    session_creator = SessionCreator.new(session, params[:name], params[:password], request.remote_ip)

    if session_creator.authenticate
      url = params[:url] if params[:url] && params[:url].start_with?("/")
--- a/app/javascript/src/styles/specific/sessions.scss
+++ b/app/javascript/src/styles/specific/sessions.scss
@@ -1,9 +0,0 @@
-div#c-sessions {
-  div#a-new {
-    label#remember-label {
-      display: inline;
-      font-weight: normal;
-      font-style: italic;
-    }
-  }
-}
--- a/app/logical/session_creator.rb
+++ b/app/logical/session_creator.rb
@@ -1,34 +1,18 @@
 class SessionCreator
-  attr_reader :session, :cookies, :name, :password, :ip_addr, :remember, :secure
+  attr_reader :session, :name, :password, :ip_addr
  attr_reader :user

-  def initialize(session, cookies, name, password, ip_addr, remember = false, secure = false)
+  def initialize(session, name, password, ip_addr)
    @session = session
-    @cookies = cookies
    @name = name
    @password = password
    @ip_addr = ip_addr
-    @remember = remember
-    @secure = secure
  end

  def authenticate
    if User.authenticate(name, password)
      @user = User.find_by_name(name)

-      if remember.present?
-        cookies.permanent.signed[:user_name] = {
-          :value => @user.name,
-          :secure => secure,
-          :httponly => true
-        }
-        cookies.permanent[:password_hash] = {
-          :value => @user.bcrypt_cookie_password_hash,
-          :secure => secure,
-          :httponly => true
-        }
-      end
-
      session[:user_id] = @user.id
      @user.update_column(:last_ip_addr, ip_addr)
      return true
--- a/app/logical/session_loader.rb
+++ b/app/logical/session_loader.rb
@@ -27,7 +27,7 @@ class SessionLoader
    update_last_ip_addr
    set_time_zone
    set_safe_mode
-    set_started_at_session
+    initialize_session_cookies
    CurrentUser.user.unban! if CurrentUser.user.ban_expired?
  ensure
    DanbooruLogger.add_session_attributes(request, session, CurrentUser.user)
@@ -114,9 +114,12 @@ private
    CurrentUser.safe_mode = safe_mode
  end

-  def set_started_at_session
-    if session[:started_at].blank?
-      session[:started_at] = Time.now.utc.to_s
-    end
+  def initialize_session_cookies
+    session.options[:expire_after] = 20.years
+    session[:started_at] ||= Time.now.utc.to_s
+
+    # clear out legacy login cookies if present
+    cookies.delete(:user_name)
+    cookies.delete(:password_hash)
  end
 end
--- a/app/views/sessions/new.html.erb
+++ b/app/views/sessions/new.html.erb
@@ -13,9 +13,6 @@
        <div class="input">
          <label for="password">Password</label>
          <%= password_field_tag :password %>
-
-          <%= check_box_tag :remember, "1", true %>
-          <label for="remember" id="remember-label">Remember</label>
        </div>

        <p class="fineprint">