Chrome does not expire cookies, ever. Even when you set correct parameters. So don't rely on the browser to invalidate cookies after browser closes or after some duration offline. We keep last request time in session data and expire sessions server side.
Users will have their password stolen. log successfull and failed logins with IP to investigate later. And be prepared to add IP white listing and 2 factor auth later.
--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/5869949c-5396-4c27-9501-44688df3d048%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
No comments:
Post a Comment