From 320ff01e0732db8a30002d072ae00de0b34341c9 Mon Sep 17 00:00:00 2001 From: evazion Date: Sun, 17 Nov 2019 16:42:54 -0600 Subject: [PATCH] login: remove 'remember' checkbox; make session cookies permanent. Remove the "Remember" checkbox from the login page. Make session cookies permanent instead. Phase out legacy `user_name` and `password_hash` cookies. Previously a user's session cookies would be cleared whenever they closed their browser window, which would log them out of the site. To work around this, when the "Remember" box was checked on the login page (which it was by default), the user's name and password hash (!) would be stored in separate permanent cookies, which would be used to automatically log the user back in when their session cookies were cleared. We can avoid all of this just by making the session cookies themselves permanent. --- .../maintenance/user/deletions_controller.rb | 2 +- app/controllers/sessions_controller.rb | 2 +- .../src/styles/specific/sessions.scss | 9 --------- app/logical/session_creator.rb | 20 ++----------------- app/logical/session_loader.rb | 13 +++++++----- app/views/sessions/new.html.erb | 3 --- 6 files changed, 12 insertions(+), 37 deletions(-) delete mode 100644 app/javascript/src/styles/specific/sessions.scss diff --git a/app/controllers/maintenance/user/deletions_controller.rb b/app/controllers/maintenance/user/deletions_controller.rb index a8254da37..9f3f592ce 100644 --- a/app/controllers/maintenance/user/deletions_controller.rb +++ b/app/controllers/maintenance/user/deletions_controller.rb @@ -8,7 +8,7 @@ module Maintenance deletion = UserDeletion.new(CurrentUser.user, params[:password]) deletion.delete! session.delete(:user_id) - cookies.delete(:cookie_password_hash) + cookies.delete(:password_hash) cookies.delete(:user_name) redirect_to(posts_path, :notice => "You are now logged out") end diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index 807cf2c37..3081944d0 100644 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -7,7 +7,7 @@ class SessionsController < ApplicationController end def create - session_creator = SessionCreator.new(session, cookies, params[:name], params[:password], request.remote_ip, params[:remember], request.ssl?) + session_creator = SessionCreator.new(session, params[:name], params[:password], request.remote_ip) if session_creator.authenticate url = params[:url] if params[:url] && params[:url].start_with?("/") diff --git a/app/javascript/src/styles/specific/sessions.scss b/app/javascript/src/styles/specific/sessions.scss deleted file mode 100644 index 1ed32256d..000000000 --- a/app/javascript/src/styles/specific/sessions.scss +++ /dev/null @@ -1,9 +0,0 @@ -div#c-sessions { - div#a-new { - label#remember-label { - display: inline; - font-weight: normal; - font-style: italic; - } - } -} diff --git a/app/logical/session_creator.rb b/app/logical/session_creator.rb index cf22bbdaa..16bb57e8d 100644 --- a/app/logical/session_creator.rb +++ b/app/logical/session_creator.rb @@ -1,34 +1,18 @@ class SessionCreator - attr_reader :session, :cookies, :name, :password, :ip_addr, :remember, :secure + attr_reader :session, :name, :password, :ip_addr attr_reader :user - def initialize(session, cookies, name, password, ip_addr, remember = false, secure = false) + def initialize(session, name, password, ip_addr) @session = session - @cookies = cookies @name = name @password = password @ip_addr = ip_addr - @remember = remember - @secure = secure end def authenticate if User.authenticate(name, password) @user = User.find_by_name(name) - if remember.present? - cookies.permanent.signed[:user_name] = { - :value => @user.name, - :secure => secure, - :httponly => true - } - cookies.permanent[:password_hash] = { - :value => @user.bcrypt_cookie_password_hash, - :secure => secure, - :httponly => true - } - end - session[:user_id] = @user.id @user.update_column(:last_ip_addr, ip_addr) return true diff --git a/app/logical/session_loader.rb b/app/logical/session_loader.rb index be7c70c15..25c9c4438 100644 --- a/app/logical/session_loader.rb +++ b/app/logical/session_loader.rb @@ -27,7 +27,7 @@ class SessionLoader update_last_ip_addr set_time_zone set_safe_mode - set_started_at_session + initialize_session_cookies CurrentUser.user.unban! if CurrentUser.user.ban_expired? ensure DanbooruLogger.add_session_attributes(request, session, CurrentUser.user) @@ -114,9 +114,12 @@ private CurrentUser.safe_mode = safe_mode end - def set_started_at_session - if session[:started_at].blank? - session[:started_at] = Time.now.utc.to_s - end + def initialize_session_cookies + session.options[:expire_after] = 20.years + session[:started_at] ||= Time.now.utc.to_s + + # clear out legacy login cookies if present + cookies.delete(:user_name) + cookies.delete(:password_hash) end end diff --git a/app/views/sessions/new.html.erb b/app/views/sessions/new.html.erb index 70c2c2799..87d7d0ab7 100644 --- a/app/views/sessions/new.html.erb +++ b/app/views/sessions/new.html.erb @@ -13,9 +13,6 @@
<%= password_field_tag :password %> - - <%= check_box_tag :remember, "1", true %> -