Conversation
|
I have yet to review the code yet, but just want to give you a heads up that I'll be cutting a new patch version first since we're overdue for one, and this feature can go with the next minor version. |
|
Ping @sikachu ? |
|
@rafaelfranca what do you think about this feature? I forgot that it's here for about a year now ... Do you think this is a good feature to have? |
|
Ping @sikachu ? This seems like a solid addition to the gem. |
This reverts commit 049b079.
|
Hi @sikachu @rafaelfranca this PR has been updated for all rubies and Rails declared in its GitHub Actions workflow. If possible, it would be appreciated if you would let us know if you intend to accept this PR or not. |
|
This patch helps block a security footgun. If anything, it should default to signing and/or encrypting values. Anything I can do to help move this forward? |
|
Is there a reason to not accept this PR ? |
4 participants
This change fixes #48 by optionally signing or encrypting the cookie. Although #48 primarily concerns signing, I also added encryption support for completeness (though as mentioned here, this is technically not necessary).
Two new configuration parameters are defined:
sign_cookie,encrypt_cookie. Both default to false for backwards compatibility.sign_cookieencrypt_cookieThe tests succeed under Rails 4, 5, and 6.