Remember the user through the remember token. This strategy is responsible to verify whether there is a cookie with the remember token, and to recreate the user from this cookie if it exists. Must be called before authenticatable.
To authenticate a user we deserialize the cookie and attempt finding the record in the database. If the attempt fails, we pass to another strategy handle the authentication.
# File lib/devise/strategies/rememberable.rb, line 19 def authenticate! resource = mapping.to.serialize_from_cookie(*remember_cookie) unless resource cookies.delete(remember_key) return pass end if validate(resource) remember_me(resource) extend_remember_me_period(resource) resource.after_remembered success!(resource) end end
No need to clean up the CSRF when using rememberable. In fact, cleaning it up here would be a bug because rememberable is triggered on GET requests which means we would render a page on first access with all csrf tokens expired.
# File lib/devise/strategies/rememberable.rb, line 40 def clean_up_csrf? false end
A valid strategy for rememberable needs a remember token in the cookies.
# File lib/devise/strategies/rememberable.rb, line 11 def valid? @remember_cookie = nil remember_cookie.present? end
# File lib/devise/strategies/rememberable.rb, line 46 def extend_remember_me_period(resource) if resource.respond_to?(:extend_remember_period=) resource.extend_remember_period = mapping.to.extend_remember_period end end
# File lib/devise/strategies/rememberable.rb, line 56 def remember_key mapping.to.rememberable_options.fetch(:key, "remember_#{scope}_token") end
# File lib/devise/strategies/rememberable.rb, line 52 def remember_me? true end