stevepolitodesign · mdchaney · Jun 12, 2024 · Jun 12, 2024 · Jun 14, 2024 · Jun 14, 2024
diff --git a/app/controllers/concerns/authentication.rb b/app/controllers/concerns/authentication.rb
@@ -35,7 +35,12 @@ def redirect_if_authenticated
   end
 
   def remember(active_session)
-    cookies.permanent.encrypted[:remember_token] = active_session.remember_token
+    cookies.permanent.encrypted[:remember_token] = {
+      value: active_session.remember_token,
+      secure: Rails.env.production?,
+      httponly: true,
+      same_site: :strict
+    }
   end
 
   private

diff --git a/test/controllers/sessions_controller_test.rb b/test/controllers/sessions_controller_test.rb
@@ -44,6 +44,11 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest
 
     assert_not_nil current_user
     assert_not_nil cookies[:remember_token]
+
+    remember_me_cookie = cookies.get_cookie("remember_token")
+
+    assert remember_me_cookie.http_only?
+    assert_equal "Strict", remember_me_cookie.to_h["SameSite"]
   end
 
   test "should forget user when logging out" do