In a Rails app, when a user selects 'remember me' during login, what mechanism keeps them logged in across browser sessions?
Think about how Rails securely identifies a user without storing sensitive info directly in cookies.
The 'remember me' feature uses a permanent cookie containing a secure token. This token matches a digest stored in the database, allowing Rails to authenticate the user automatically on future visits without asking for credentials again.
Which code snippet correctly sets a permanent signed cookie named remember_token with value token?
Remember the chaining order for setting permanent and signed cookies in Rails.
In Rails, cookies.permanent.signed[:key] sets a cookie that is both permanent (expires 20 years later) and signed (encrypted to prevent tampering). Option B uses this correct chaining.
Given this code snippet in a Rails app, users report that the 'remember me' cookie disappears after closing the browser. What is the likely cause?
cookies[:remember_token] = user.remember_token
Think about the difference between session cookies and permanent cookies.
By default, cookies set without permanent expire when the browser session ends. To persist across sessions, the cookie must be set as permanent.
current_user after browser restart with 'remember me' enabled?In a Rails app with 'remember me' implemented, after closing and reopening the browser, what will current_user be if the remember token cookie is valid?
Consider how the app uses the remember token cookie to restore user state.
The app reads the remember token from the cookie, finds the matching user in the database, and sets current_user accordingly, even if the session was lost.
Why should a Rails app never store the user's password directly in a cookie for 'remember me' functionality?
Think about security risks of storing sensitive data on the client side.
Cookies can be stolen or read by malicious actors. Storing passwords directly exposes users to theft and unauthorized access. Instead, apps store secure tokens that can be revoked.