diff options
author | Kasper Timm Hansen <kaspth@gmail.com> | 2017-09-04 19:49:02 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-09-04 19:49:02 +0200 |
commit | a917b59d54c903ad9366d6f8f0ad0d4c02020b45 (patch) | |
tree | d09c87a1499923ea1dde093727278f0a304f0252 | |
parent | a516fdefb6433993d7fcfda7b834fee1a2309d96 (diff) | |
parent | 9f0b3b59acb5f54a9cf4a6d4697e09ecb8dd18a8 (diff) | |
download | rails-a917b59d54c903ad9366d6f8f0ad0d4c02020b45.tar.gz rails-a917b59d54c903ad9366d6f8f0ad0d4c02020b45.tar.bz2 rails-a917b59d54c903ad9366d6f8f0ad0d4c02020b45.zip |
Merge pull request #30407 from assain/document-expiry-metadata-support-cookies
Add Documentation For Duration Support & Expiry Meta Data Added to Signed / Encrypted Cookies
-rw-r--r-- | actionpack/CHANGELOG.md | 21 | ||||
-rw-r--r-- | actionpack/lib/action_dispatch/middleware/cookies.rb | 11 |
2 files changed, 28 insertions, 4 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index b56a1c5d4b..ad80bb26a7 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -1,3 +1,24 @@ +* Cookies `:expires` option supports `ActiveSupport::Duration` object. + + cookies[:user_name] = { value: "assain", expires: 1.hour } + cookies[:key] = { value: "a yummy cookie", expires: 6.months } + + Pull Request: #30121 + + *Assain Jaleel* + +* Enforce signed/encrypted cookie expiry server side. + + Rails can thwart attacks by malicious clients that don't honor a cookie's expiry. + + It does so by stashing the expiry within the written cookie and relying on the + signing/encrypting to vouch that it hasn't been tampered with. Then on a + server-side read, the expiry is verified and any expired cookie is discarded. + + Pull Request: #30121 + + *Assain Jaleel* + * Make `take_failed_screenshot` work within engine. Fixes #30405. diff --git a/actionpack/lib/action_dispatch/middleware/cookies.rb b/actionpack/lib/action_dispatch/middleware/cookies.rb index c0913715ac..adad743d38 100644 --- a/actionpack/lib/action_dispatch/middleware/cookies.rb +++ b/actionpack/lib/action_dispatch/middleware/cookies.rb @@ -83,7 +83,10 @@ module ActionDispatch # cookies[:lat_lon] = JSON.generate([47.68, -122.37]) # # # Sets a cookie that expires in 1 hour. - # cookies[:login] = { value: "XJ-122", expires: 1.hour.from_now } + # cookies[:login] = { value: "XJ-122", expires: 1.hour } + # + # # Sets a cookie that expires at a specific time. + # cookies[:login] = { value: "XJ-122", expires: Time.utc(2020, 10, 15, 5) } # # # Sets a signed cookie, which prevents users from tampering with its value. # # The cookie is signed by your app's `secrets.secret_key_base` value. @@ -100,7 +103,7 @@ module ActionDispatch # cookies.permanent[:login] = "XJ-122" # # # You can also chain these methods: - # cookies.permanent.signed[:login] = "XJ-122" + # cookies.signed.permanent[:login] = "XJ-122" # # Examples of reading: # @@ -118,7 +121,7 @@ module ActionDispatch # # cookies[:name] = { # value: 'a yummy cookie', - # expires: 1.year.from_now, + # expires: 1.year, # domain: 'domain.com' # } # @@ -144,7 +147,7 @@ module ActionDispatch # * <tt>:tld_length</tt> - When using <tt>:domain => :all</tt>, this option can be used to explicitly # set the TLD length when using a short (<= 3 character) domain that is being interpreted as part of a TLD. # For example, to share cookies between user1.lvh.me and user2.lvh.me, set <tt>:tld_length</tt> to 1. - # * <tt>:expires</tt> - The time at which this cookie expires, as a \Time object. + # * <tt>:expires</tt> - The time at which this cookie expires, as a \Time or ActiveSupport::Duration object. # * <tt>:secure</tt> - Whether this cookie is only transmitted to HTTPS servers. # Default is +false+. # * <tt>:httponly</tt> - Whether this cookie is accessible via scripting or |