From de481a46db96bfc08c24cc9146a7f9e2aeb4a750 Mon Sep 17 00:00:00 2001
From: Michael Chaney <mdchaney@michaelchaney.com>
Date: Fri, 14 Jun 2024 11:42:18 -0500
Subject: [PATCH] Adds security to the remember_token cookie.

1. set to "secure" in production
2. HttpOnly set to true
3. SameSite is now Strict
---
 app/controllers/concerns/authentication.rb   | 7 ++++++-
 test/controllers/sessions_controller_test.rb | 5 +++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/app/controllers/concerns/authentication.rb b/app/controllers/concerns/authentication.rb
index 751f0c2..4f2d141 100644
--- a/app/controllers/concerns/authentication.rb
+++ b/app/controllers/concerns/authentication.rb
@@ -35,7 +35,12 @@ def redirect_if_authenticated
   end
 
   def remember(active_session)
-    cookies.permanent.encrypted[:remember_token] = active_session.remember_token
+    cookies.permanent.encrypted[:remember_token] = {
+      value: active_session.remember_token,
+      secure: Rails.env.production?,
+      http_only: true,
+      same_site: :strict
+    }
   end
 
   private
diff --git a/test/controllers/sessions_controller_test.rb b/test/controllers/sessions_controller_test.rb
index 928d560..ada661b 100644
--- a/test/controllers/sessions_controller_test.rb
+++ b/test/controllers/sessions_controller_test.rb
@@ -44,6 +44,11 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest
 
     assert_not_nil current_user
     assert_not_nil cookies[:remember_token]
+
+    remember_me_cookie = cookies.get_cookie("remember_token")
+
+    assert remember_me_cookie.http_only?
+    assert_equal "Strict", remember_me_cookie.to_h["SameSite"]
   end
 
   test "should forget user when logging out" do