From d76c2e82328ed2a00add7bdfb528ed4393e640b7 Mon Sep 17 00:00:00 2001
From: Louise Crow <louise.crow@gmail.com>
Date: Fri, 21 Nov 2014 14:54:26 +0000
Subject: Enforce a lifetime on session cookies

Problem described in http://seclists.org/fulldisclosure/2013/Sep/145

Pattern taken from https://www.coffeepowered.net/2013/09/26/rails-session-cookies/
---
 app/controllers/user_controller.rb | 10 +---------
 1 file changed, 1 insertion(+), 9 deletions(-)

(limited to 'app/controllers/user_controller.rb')

diff --git a/app/controllers/user_controller.rb b/app/controllers/user_controller.rb
index baeaab18a..9798ff8e2 100644
--- a/app/controllers/user_controller.rb
+++ b/app/controllers/user_controller.rb
@@ -260,16 +260,8 @@ class UserController < ApplicationController
         do_post_redirect post_redirect
     end
 
-    # Logout form
-    def _do_signout
-        session[:user_id] = nil
-        session[:user_circumstance] = nil
-        session[:remember_me] = false
-        session[:using_admin] = nil
-        session[:admin_name] = nil
-    end
     def signout
-        self._do_signout
+        clear_session_credentials
         if params[:r]
             redirect_to params[:r]
         else
-- 
cgit v1.2.3