Limit remember cookie to httponly

[stevepolitodesign]

Before

rails-authentication-from-scratch/app/controllers/concerns/authentication.rb

Lines 37 to 39 in b3e253f

	def remember(active_session)
	cookies.permanent.encrypted[:remember_token] = active_session.remember_token
	end

After

def remember(active_session)
  cookies.permanent.encrypted[:remember_token] = { value: active_session.remember_token, httponly: true }
end

Issues

set httponly cookie

[stevepolitodesign]

We can update this test to include the following:

rails-authentication-from-scratch/test/controllers/sessions_controller_test.rb

Lines 34 to 47 in b3e253f

	test "should remember user when logging in" do
	assert_nil cookies[:remember_token]
	post login_path, params: {
	user: {
	email: @confirmed_user.email,
	password: @confirmed_user.password,
	remember_me: 1
	}
	}
	assert_not_nil current_user
	assert_not_nil cookies[:remember_token]
	end

remember_me_cookie = cookies.get_cookie("remember_token")

assert remember_me_cookie.http_only?
assert remember_me_cookie.secure?
assert_equal "Strict", remember_me_cookie.to_h["SameSite"]