From 00df69bc89f1b5ffdf290bde8359b3854e2b1395 Mon Sep 17 00:00:00 2001
From: Eugen Rochko <eugen@zeonfederated.com>
Date: Fri, 7 Jul 2017 23:25:15 +0200
Subject: Fix #4058 - Use a long-lived cookie to keep track of user-level
 sessions (#4091)

* Fix #4058 - Use a long-lived cookie to keep track of user-level sessions

* Fix tests, smooth migrate from previous session-based identifier
---
 config/initializers/devise.rb | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

(limited to 'config/initializers')

diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index d51471d30..bf61ea0ea 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -1,17 +1,29 @@
 Warden::Manager.after_set_user except: :fetch do |user, warden|
-  SessionActivation.deactivate warden.raw_session['auth_id']
-  warden.raw_session['auth_id'] = user.activate_session(warden.request)
+  SessionActivation.deactivate warden.cookies.signed['_session_id']
+
+  warden.cookies.signed['_session_id'] = {
+    value: user.activate_session(warden.request),
+    expires: 1.year.from_now,
+    httponly: true,
+  }
 end
 
 Warden::Manager.after_fetch do |user, warden|
-  unless user.session_active?(warden.raw_session['auth_id'])
+  if user.session_active?(warden.cookies.signed['_session_id'] || warden.raw_session['auth_id'])
+    warden.cookies.signed['_session_id'] = {
+      value: warden.cookies.signed['_session_id'] || warden.raw_session['auth_id'],
+      expires: 1.year.from_now,
+      httponly: true,
+    }
+  else
     warden.logout
     throw :warden, message: :unauthenticated
   end
 end
 
 Warden::Manager.before_logout do |_, warden|
-  SessionActivation.deactivate warden.raw_session['auth_id']
+  SessionActivation.deactivate warden.cookies.signed['_session_id']
+  warden.cookies.delete('_session_id')
 end
 
 Devise.setup do |config|
-- 
cgit