We had a security hole because we store auth token in cookies..
This code is unsecured:
def current_user @current_user ||= (User.find_by_id(session[:user_id]) || begin Account::Cookie.user_by_secret(cookies[:secret]) end) end
How to hack:
othersite.com has follow html:
<form action="http://gistflow.com/account/following/releu" method="post"> </form> $('form').submit();
Right solution is to store only public information in cookies.
In order to save user's session after closing browser you should increase the lifetime of session.
Gistflow::Application.config.session_store :redis_store, expire_after: 8.days
Now if we receive a request without token we nullify session and nothing bad will happens.
P.S. Don't trust all that you google. This solution has same bug - http://railscasts.com/episodes/274-remember-me-reset-password.