Drop Remember-me cookie's Expires when the box is unchecked

Without Remember-me the session cookie was still being written via `cookies.signed.permanent`, so it survived browser restart on shared devices — surprising for a user who explicitly opted out of Remember-me. Issue a browser-session cookie (no Expires) when remember_me is off; the server-side Session#expires_at still bounds the 24h / 30d window. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-02 23:54:09 +10:00
parent cc93f72f0a
commit 556656d090
2 changed files with 27 additions and 1 deletions
--- a/app/controllers/concerns/authentication.rb
+++ b/app/controllers/concerns/authentication.rb
@@ -73,7 +73,15 @@ module Authentication
      # Set domain for cross-subdomain authentication if we can extract it
      cookie_options[:domain] = domain if domain.present?

-      cookies.signed.permanent[:session_id] = cookie_options
+      # When "Remember me" is off, issue a browser-session cookie (no Expires)
+      # so closing the browser signs the user out — especially important on
+      # shared devices. The server Session#expires_at still enforces the
+      # 24h / 30d window regardless.
+      if remember_me
+        cookies.signed.permanent[:session_id] = cookie_options
+      else
+        cookies.signed[:session_id] = cookie_options
+      end

      # Create a one-time token for immediate forward auth after authentication
      # This solves the race condition where browser hasn't processed cookie yet