| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
| |
The example was slightly incorrect. This commit also adds a test case
for this example to cookies middleware unit tests.
|
|
|
|
|
| |
The link to recaptcha.net returns a 404. As far as I can tell, the new
link ought to be to https://developers.google.com/recaptcha/ .
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
It's become clear to me that the use case is still a bit muddy
and the upgrade path is going to be tough for people to figure
out.
This attempts at understanding it better through documentation,
but still needs follow up work.
[ Michael Coyne & Kasper Timm Hansen ]
|
| |
|
|
|
|
|
|
| |
Using the action_dispatch.cookies_rotations interface, key rotation is
now possible with cookies. Thus the secret_key_base as well as salts,
ciphers, and digests, can be rotated without expiring sessions.
|
|\
| |
| | |
make documentation consistent with KeyError message
|
| | |
|
|/ |
|
|
|
|
| |
Follow up of ca18922ac23be2cde6963fae9b193c9111bec6f8
|
|
|
|
|
|
|
| |
Removes most mentions of secrets.secret_key_base and explains
credentials instead.
Also removes some very stale upgrade notices about Rails 3/4.
|
| |
|
|
|
|
| |
Changed the phrase '... and many more high targets' to '... and many more high _profile_ targets'
|
| |
|
|
|
|
|
|
| |
Periods should be outside of the <a> tags
[ci skip]
|
| |
|
| |
|
|\
| |
| | |
AEAD encrypted cookies and sessions
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This commit changes encrypted cookies from AES in CBC HMAC mode to
Authenticated Encryption using AES-GCM. It also provides a cookie jar
to transparently upgrade encrypted cookies to this new scheme. Some
other notable changes include:
- There is a new application configuration value:
+use_authenticated_cookie_encryption+. When enabled, AEAD encrypted
cookies will be used.
- +cookies.signed+ does not raise a +TypeError+ now if the name of an
encrypted cookie is used. Encrypted cookies using the same key as
signed cookies would be verified and serialization would then fail
due the message still be encrypted.
|
| |
| |
| |
| |
| |
| | |
".. with __dir__ we can restore order in the Universe." - by @fxn
Related to 5b8738c2df003a96f0e490c43559747618d10f5f
|
|/ |
|
|
|
|
|
| |
https://github.com/rails/rails-ujs is merged into actionview in favor of https://github.com/rails/rails/pull/28098.
[skip ci]
|
| |
|
|
|
|
| |
[ci skip]
|
|
|
|
| |
[ci skip]
|
|\ |
|
| |
| |
| |
| | |
Followup of https://github.com/rails/rails/pull/27086
|
|/
|
|
|
| |
section already speaks about sanitization as a safety measure. [ci skip] (#27086)
Fixes #27085
|
|
|
|
|
|
|
|
|
| |
Currently mongrel is not maintained.
And it couldn't be built with any Ruby versions that
supported by Rails.
It is reasonable to remove the word "mongrel" in order to avoid
confusion from newcomer.
|
| |
|
|
|
|
| |
it is used in context of a command like bin/rails or the rails directory [ci skip]
|
| |
|
| |
|
|\
| |
| | |
update to make it less obvious that this guide is from 2008/2009
|
| |
| |
| |
| |
| | |
malicious ads are neither new nor unusual
live HTTP headers project is dead - see https://www.mozdev.org/bugs/show_bug.cgi?id=25944
|
| |
| |
| |
| |
| | |
* Update documentation about Safari 4 supporting http only cookie
- Source: www.greebo.net/2009/06/09/httponly-in-safari-40-release/ via http://stackoverflow.com/questions/528405/which-browsers-do-support-httponly-cookies
|
|/
|
|
|
|
|
|
|
| |
Would have submitted to docrails, but this guide was just changed today,
and docrails doesn't have the most updated version :grimacing:
cc @vipulnsward
[ci skip]
|
|
|
|
|
|
|
|
|
|
|
| |
Bring up-to-date the information about the session id in the
Sessions section. The guide currently says that the session
id is a md5 hash while the implementation uses a random hex
string.
Fixes #25032.
[ci skip]
|
| |
|
|
|
|
|
|
|
|
|
| |
[restful-authentication](https://rubygems.org/gems/restful-authentication/versions/1.2.1) hasn't been updated since
September 6th, 2012 so it might not be a great idea to recommend that Rails users try it out.
Devise seems like a much more popular and secure solution that automatically resets sessions on sign in and out
so it's a great example in this case.
/cc @tenderlove @josevalim
|
| |
|
|
|
|
|
|
| |
Fixed errors in rails migrations docs [ci skip]
Fixed errors in rails security docs [ci skip]
|
| |
|
| |
|
|
|
|
|
|
|
| |
This is a pass over the documentation which fills the missing gaps of
`ApplicationRecord`.
[ci skip]
|
| |
|
|\ |
|
| |
| |
| |
| | |
https://github.com/rails/rails/commit/e768c519fb6015e00961702a5165c6dab548a954 bang version produces `KeyError` [ci skip]
|
| | |
|