diff options
author | DavisLWebb <davislwebb@ymail.com> | 2014-03-03 13:52:38 -0500 |
---|---|---|
committer | DavisLWebb <davislwebb@ymail.com> | 2014-03-03 13:52:38 -0500 |
commit | 3425bfd0f56495b7d8d9f86ac740fcf90f0fbfdb (patch) | |
tree | 58296cb73c7815e98704ce354153f775dfad7dc7 /app/models/user.rb | |
parent | 257ccb19453c1d609e724a29349d390e5978b739 (diff) |
I added a lot of documentation to user.rb
Diffstat (limited to 'app/models/user.rb')
-rw-r--r-- | app/models/user.rb | 30 |
1 files changed, 27 insertions, 3 deletions
diff --git a/app/models/user.rb b/app/models/user.rb index f302baf..53ccdaf 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -81,12 +81,36 @@ has_secure_password which does all of this for me validates :password, length: { minimum: 6 } - # create a random remember token for the user +=begin + + Create a random remember token for the user. This will be + changed every time the user creates a new session. + + By changing the cookie every new session, any hijacked sessions + (where the attacker steals a cookie to sign in as a certain + user) will expire the next time the user signs back in. + + The random string is of length 16 composed of A-Z, a-z, 0-9 + This is the browser's cookie value. + +=end + def User.new_remember_token SecureRandom.urlsafe_base64 end - - # encrypt the remember token + +=begin + + Encrypt the remember token. + This is the encrypted version of the cookie stored on + the database. + + The reasoning for storing a hashed token is so that even if + the database is compromised, the atacker won't be able to use + the remember tokens to sign in. + +=end + def User.hash(token) Digest::SHA1.hexdigest(token.to_s) end |