diff options
| author | Louise Crow <louise.crow@gmail.com> | 2015-03-30 16:00:02 +0100 |
|---|---|---|
| committer | Louise Crow <louise.crow@gmail.com> | 2015-03-30 16:00:02 +0100 |
| commit | f24cc98afa25ad6010ae5316eecc15dfdb3fa79b (patch) | |
| tree | c32fecb16bb2097da7dfdf90e6915fce0bf1a425 /app/controllers/application_controller.rb | |
| parent | 823e58dc69960c600230b10604a0051359173f85 (diff) | |
| parent | 3c0604cf900ad274d8f6ff421d39854ccbf4b6af (diff) | |
Merge branch 'release/0.21'0.21.0.0
Conflicts:
locale/cy/app.po
locale/es_NI/app.po
locale/hr/app.po
locale/is_IS/app.po
locale/sr@latin/app.po
Diffstat (limited to 'app/controllers/application_controller.rb')
| -rw-r--r-- | app/controllers/application_controller.rb | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 4d3f40d40..dbd879a1c 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -14,9 +14,14 @@ class ApplicationController < ActionController::Base end class RouteNotFound < StandardError end + protect_from_forgery + # assign our own handler method for non-local exceptions rescue_from Exception, :with => :render_exception + # Add some security-related headers (see config/initializers/secure_headers.rb) + ensure_security_headers + # Standard headers, footers and navigation for whole site layout "default" include FastGettext::Translation # make functions like _, n_, N_ etc available) @@ -27,6 +32,8 @@ class ApplicationController < ActionController::Base before_filter :check_in_post_redirect before_filter :session_remember_me before_filter :set_vary_header + before_filter :validate_session_timestamp + after_filter :persist_session_timestamp def set_vary_header response.headers['Vary'] = 'Cookie' @@ -118,6 +125,29 @@ class ApplicationController < ActionController::Base end end + # Set a TTL for non "remember me" sessions so that the cookie + # is not replayable forever + SESSION_TTL = 3.hours + def validate_session_timestamp + if session[:user_id] && session.key?(:ttl) && session[:ttl] < SESSION_TTL.ago + clear_session_credentials + redirect_to signin_path + end + end + + def persist_session_timestamp + session[:ttl] = Time.now if session[:user_id] && !session[:remember_me] + end + + # Logout form + def clear_session_credentials + session[:user_id] = nil + session[:user_circumstance] = nil + session[:remember_me] = false + session[:using_admin] = nil + session[:admin_name] = nil + end + def render_exception(exception) # In development or the admin interface let Rails handle the exception # with its stack trace templates |