jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

login: remove 'remember' checkbox; make session cookies permanent.

Browse Source 
Remove the "Remember" checkbox from the login page. Make session cookies
permanent instead. Phase out legacy `user_name` and `password_hash` cookies.

Previously a user's session cookies would be cleared whenever they
closed their browser window, which would log them out of the site. To
work around this, when the "Remember" box was checked on the login page
(which it was by default), the user's name and password hash (!) would
be stored in separate permanent cookies, which would be used to
automatically log the user back in when their session cookies were
cleared. We can avoid all of this just by making the session cookies
themselves permanent.
This commit is contained in:
evazion
2019-11-17 16:42:54 -06:00
parent 9b893db640
commit 320ff01e07
6 changed files with 12 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/controllers/maintenance/user/deletions_controller.rb
View File

@@ -8,7 +8,7 @@ module Maintenance
deletion = UserDeletion.new(CurrentUser.user, params[:password]) deletion = UserDeletion.new(CurrentUser.user, params[:password])
deletion.delete! deletion.delete!
session.delete(:user_id) session.delete(:user_id)
cookies.delete(:cookie_password_hash) cookies.delete(:password_hash)
cookies.delete(:user_name) cookies.delete(:user_name)
redirect_to(posts_path, :notice => "You are now logged out") redirect_to(posts_path, :notice => "You are now logged out")
end end

2
app/controllers/sessions_controller.rb
View File

@@ -7,7 +7,7 @@ class SessionsController < ApplicationController
end end
def create def create
session_creator = SessionCreator.new(session, cookies, params[:name], params[:password], request.remote_ip, params[:remember], request.ssl?) session_creator = SessionCreator.new(session, params[:name], params[:password], request.remote_ip)
if session_creator.authenticate if session_creator.authenticate
url = params[:url] if params[:url] && params[:url].start_with?("/") url = params[:url] if params[:url] && params[:url].start_with?("/")

9
app/javascript/src/styles/specific/sessions.scss
View File

@@ -1,9 +0,0 @@
div#c-sessions {
div#a-new {
label#remember-label {
display: inline;
font-weight: normal;
font-style: italic;
}
}
}

20
app/logical/session_creator.rb
View File

@@ -1,34 +1,18 @@
class SessionCreator class SessionCreator
attr_reader :session, :cookies, :name, :password, :ip_addr, :remember, :secure attr_reader :session, :name, :password, :ip_addr
attr_reader :user attr_reader :user
def initialize(session, cookies, name, password, ip_addr, remember = false, secure = false) def initialize(session, name, password, ip_addr)
@session = session @session = session
@cookies = cookies
@name = name @name = name
@password = password @password = password
@ip_addr = ip_addr @ip_addr = ip_addr
@remember = remember
@secure = secure
end end
def authenticate def authenticate
if User.authenticate(name, password) if User.authenticate(name, password)
@user = User.find_by_name(name) @user = User.find_by_name(name)
if remember.present?
cookies.permanent.signed[:user_name] = {
:value => @user.name,
:secure => secure,
:httponly => true
}
cookies.permanent[:password_hash] = {
:value => @user.bcrypt_cookie_password_hash,
:secure => secure,
:httponly => true
}
end
session[:user_id] = @user.id session[:user_id] = @user.id
@user.update_column(:last_ip_addr, ip_addr) @user.update_column(:last_ip_addr, ip_addr)
return true return true

13
app/logical/session_loader.rb
View File

@@ -27,7 +27,7 @@ class SessionLoader
update_last_ip_addr update_last_ip_addr
set_time_zone set_time_zone
set_safe_mode set_safe_mode
set_started_at_session initialize_session_cookies
CurrentUser.user.unban! if CurrentUser.user.ban_expired? CurrentUser.user.unban! if CurrentUser.user.ban_expired?
ensure ensure
DanbooruLogger.add_session_attributes(request, session, CurrentUser.user) DanbooruLogger.add_session_attributes(request, session, CurrentUser.user)
@@ -114,9 +114,12 @@ private
CurrentUser.safe_mode = safe_mode CurrentUser.safe_mode = safe_mode
end end
def set_started_at_session def initialize_session_cookies
if session[:started_at].blank? session.options[:expire_after] = 20.years
session[:started_at] = Time.now.utc.to_s session[:started_at] ||= Time.now.utc.to_s
end
# clear out legacy login cookies if present
cookies.delete(:user_name)
cookies.delete(:password_hash)
end end
end end

3
app/views/sessions/new.html.erb
View File

@@ -13,9 +13,6 @@
<div class="input"> <div class="input">
<label for="password">Password</label> <label for="password">Password</label>
<%= password_field_tag :password %> <%= password_field_tag :password %>
<%= check_box_tag :remember, "1", true %>
<label for="remember" id="remember-label">Remember</label>
</div> </div>
<p class="fineprint"> <p class="fineprint">