only store partial hash in cookies for validation

2013-03-05 16:49:09 -05:00
parent f52181db94
commit 5ab9887923
4 changed files with 10 additions and 6 deletions
--- a/app/logical/session_creator.rb
+++ b/app/logical/session_creator.rb
@@ -16,7 +16,7 @@ class SessionCreator
      
      if remember.present?
        cookies.permanent.signed[:user_name] = user.name
-        cookies.permanent.signed[:password_hash] = user.bcrypt_password_hash
+        cookies.permanent[:password_hash] = user.bcrypt_cookie_password_hash
      end
      
      session[:user_id] = user.id
--- a/app/logical/session_loader.rb
+++ b/app/logical/session_loader.rb
@@ -41,7 +41,7 @@ private
  end
  
  def cookie_password_hash_valid?
-    cookies[:password_hash] && User.authenticate_cookie_hash(cookies.signed[:user_name], cookies.signed[:password_hash])
+    cookies[:password_hash] && User.authenticate_cookie_hash(cookies.signed[:user_name], cookies[:password_hash])
  end
  
  def update_last_logged_in_at
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -124,6 +124,10 @@ class User < ActiveRecord::Base
    def bcrypt_password
      BCrypt::Password.new(bcrypt_password_hash)
    end
+    
+    def bcrypt_cookie_password_hash
+      bcrypt_password_hash.slice(20, 100)
+    end

    def encrypt_password_on_create
      self.password_hash = ""
@@ -183,7 +187,7 @@ class User < ActiveRecord::Base

      def authenticate_cookie_hash(name, hash)
        user = find_by_name(name)
-        if user && user.bcrypt_password_hash == hash
+        if user && user.bcrypt_cookie_password_hash == hash
          user
        else
          nil