fixes #1851

2013-07-26 17:37:44 -07:00
parent 8cc05f5ef6
commit 80c1c13ce3
2 changed files with 13 additions and 5 deletions
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -4,7 +4,7 @@ class SessionsController < ApplicationController
  end

  def create
-    session_creator = SessionCreator.new(session, cookies, params[:name], params[:password], params[:remember])
+    session_creator = SessionCreator.new(session, cookies, params[:name], params[:password], params[:remember], request.ssl?)

    if session_creator.authenticate
      url = params[:url] if params[:url] && params[:url].start_with?("/")
--- a/app/logical/session_creator.rb
+++ b/app/logical/session_creator.rb
@@ -1,12 +1,13 @@
 class SessionCreator
-  attr_reader :session, :cookies, :name, :password, :remember
+  attr_reader :session, :cookies, :name, :password, :remember, :secure

-  def initialize(session, cookies, name, password, remember)
+  def initialize(session, cookies, name, password, remember = false, secure = false)
    @session = session
    @cookies = cookies
    @name = name
    @password = password
    @remember = remember
+    @secure = secure
  end

  def authenticate
@@ -15,8 +16,15 @@ class SessionCreator
      user.update_column(:last_logged_in_at, Time.now)

      if remember.present?
-        cookies.permanent.signed[:user_name] = user.name
-        cookies.permanent[:password_hash] = user.bcrypt_cookie_password_hash
+        cookies.permanent.signed[:user_name] = {
+          :value => user.name,
+          :secure => secure
+        }
+        cookies.permanent[:password_hash] = {
+          :value => user.bcrypt_cookie_password_hash,
+          :secure => secure,
+          :httponly => true
+        }
      end

      session[:user_id] = user.id