

Signed and Permanent Cookies in Rails 3 - lonestar
http://m.onkey.org/2010/2/5/signed-and-permanent-cookies-in-rails-3

======
wglb
Looks like a cool feature, but I haven't yet gotten into Ruby or Rails. I do
have one question, though. There is an interesting looking language feature I
see: _20.years.from_now.utc_. I would presume that to mean "20 years from this
time in zulu". So presuming that _20.years.from_now.cdt_ means central
daylight time, is that a different time?

To put the question a little shorter, isn't the concept of "20 years from now"
independent of time zone, or am I missing something?

~~~
bodhi

        irb(main):033:0> 20.years
        => 20 years               # ??????
        irb(main):030:0> 20.years.to_i
        => 631152000              # number of seconds in 20 years
        irb(main):026:0> 20.years.from_now
        => Sun Feb 10 10:14:11 +1100 2030 # AEDT
        irb(main):027:0> 20.years.from_now.utc
        => Sat Feb 09 23:14:14 UTC 2030   # UTC/GMT
    

Ruby Time instances have a timezone, calling Time#utc returns the instance
time converted from localtime -- or whatever timezone it is -- to UTC or
Greenwich Mean Time. You are correct in that it shouldn't matter which one you
use in this situation though.

~~~
psadauskas
Your first one, commented with ??????, is an instance of a Duration object. It
implements the #ago and #from_now methods, so that Integer objects aren't
cluttered with methods that mean nothing to it.

[http://api.rubyonrails.org/classes/ActiveSupport/Duration.ht...](http://api.rubyonrails.org/classes/ActiveSupport/Duration.html)

------
Groxx
I feel like I'm not understanding something. How is this "signed"? It appears
they're just storing the user's salt in their cookie... in which case you
might as well store any other random info, it doesn't mean it's "signed", it
just prevents people from changing their cookie's user_id and logging in as
someone else. Didn't they already have something like that in place?

~~~
weavejester
Usually signing a cookie means adding a HMAC to the end of it so the user
can't modify the contents without invalidating it. The example given seems
kinda misleading, because including the salt offers some measure of protection
against tampering anyway.

~~~
Groxx
See, _that's_ signing. That has a lot of use, and there are a lot of ways to
make that however secure you want. The example doesn't seem to do _any_ of
that, though, it's simply storing two user-specific details, one of which the
user shouldn't know. Or, at least, one which _other_ users _wouldn't_ know.

Again, that's unless I'm missing something.

------
z8000
"A whole lot easier" Is this a joke?

~~~
tptacek
I don't understand your objection.

~~~
z8000
1\. Rails already makes things very easy. 2. The improvement was for something
that (yes, subjectively) did not look overly burdensome to begin with.

~~~
tptacek
Cookies with MACs did in fact get substantially easier, that was in fact a
feature people regularly screwed up, and the fact that you have to manually
arrange to expire user-based cookies when passwords change is a sign that
there's still work left to be done.

The more of this functionality Rails takes over and stops leaving up to
developers, the happier I'll be.

