On Apr 25, 5:15 am, "Amir Z." <[email protected]> wrote:
> Please find my login code below.
>
> cookies[:authorization_token] = { (line no. 27)
> :value => user.authorization_token, (line no. 28)
> :expires => 10.years.from_now } (line no. 29)
Cookie values should be strings, not integers. Also since you've set
authoization_token to just be the user id, this allows any user to log
into as any other user just be modifying the value of this cookie and
guessing a user_id
Fred
> else
> cookies.delete(:remember_me)
> cookies.delete(:authorization_token)
> end
> flash[:notice] = "User #{user.screen_name} logged in!"
> redirect_to_forwarding_url
> else
> @user.clear_password!
> flash[:notice] = "Invalid screen name/password combination"
> end
> end
> end
>
> --
> Posted viahttp://www.ruby-forum.com/.
--
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Talk" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.
