1

This is in relation to the checkbox that allows users to stay logged in when they close their browser. In an intermediate version, we remembered the user regardless, and now we're checking the params to see if the checkbox was set. This is the line of code that confuses me:

params[:session][:remember_me] == '1' ? remember(user) : forget(user)

Specifically, why are we forgetting the user if params[:session][:remember_me] is 0? Since we have never remembered the user (I think -- I'm a major newbie), wouldn't this work:

remember(user) if (params[:session][:remember_me] == '1')

and make more sense? I tried it and it passes the tests (which are very basic), but it also seems to behave appropriately. But maybe there's some stray variable that's staying set that I'm missing because I don't know what I'm doing.

Ingrid Biery
  • 90
  • 9
  • If you deselect the checkbox you will want to update the `remember_me` part. That is to make sure you that you can "forget me". – Emz Nov 22 '15 at 00:53

1 Answers1

0

I am at the exact same point and was wondering about the exact same thing.

And I came to the conclusion: it's only about security.
Because if an user never logs out of your app, an attacker who stole her user_id and remember_token cookies could use them all the time. However if the user eventually logs in on another computer either the remember_digest attribute gets a new value or is set to nil. Either way the attacker gets locked out.
By omitting forget(user) the only time the remember_digest is set to nil is when the user deliberately logs out.

However the version remember(user) if (params[:session][:remember_me] == '1') gives the user the ability to select one "remembered" computer.

Emanuelle
  • 41
  • 3
  • this almost makes sense to me, but still only seems like one rare way to interact with the program. I can't reproduce it either. If I log in in Chrome and ask to be remembered, then log in to Firefox and don't ask to be remembered, then shut down Chrome and return to the website in Chrome, I am still logged in. Which is, I think, what I would expect as a user, but doesn't seem to match the idea of the remember_digest attribute being reset (maybe). I'm so confused! – Ingrid Biery Nov 23 '15 at 00:53
  • Check http://stackoverflow.com/a/10772420/5552599 maybe this causes the confusion. – Emanuelle Nov 23 '15 at 06:42
  • Ok. Thanks. I can make it work now where choosing to login without "remember me" on one browser then means that I am no longer remembered in another browser. And while this still confuses me a bit, it does seem like the right thing to do. – Ingrid Biery Nov 24 '15 at 17:32