Extend Devise remember_me longevity to 1 year instead of 2 weeks (#4587)

Force SSL only cookies for remember_me, adjust confirmation expiration time to fit with the user cleanup scheduler
2017-08-12 16:30:59 +02:00 · 2017-08-12 16:30:59 +02:00 · 40be4ea239
parent 3d47154c20
commit 40be4ea239
1 changed files with 3 additions and 3 deletions
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@ -154,7 +154,7 @@ Devise.setup do |config|
  # their account can't be confirmed with the token any more.
  # Default is nil, meaning there is no restriction on how long a user can take
  # before confirming their account.
-  # config.confirm_within = 3.days
+  config.confirm_within = 2.days

  # If true, requires any email changes to be confirmed (exactly the same way as
  # initial account confirmation) to be applied. Requires additional unconfirmed_email
@ -167,7 +167,7 @@ Devise.setup do |config|

  # ==> Configuration for :rememberable
  # The time the user will be remembered without asking for credentials again.
-  # config.remember_for = 2.weeks
+  config.remember_for = 1.year

  # Invalidates all the remember me tokens when the user signs out.
  config.expire_all_remember_me_on_sign_out = true
@ -177,7 +177,7 @@ Devise.setup do |config|

  # Options to be passed to the created cookie. For instance, you can set
  # secure: true in order to force SSL only cookies.
-  # config.rememberable_options = {}
+  config.rememberable_options = { secure: true }

  # ==> Configuration for :validatable
  # Range for password length.