I added a lot of documentation to user.rb

1 files changed, 27 insertions, 3 deletions

diff --git a/app/models/user.rb b/app/models/user.rb
index f302baf..53ccdaf 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -81,12 +81,36 @@ has_secure_password which does all of this for me
 
 	validates :password, length: { minimum: 6 }
 
-	# create a random remember token for the user
+=begin
+
+	Create a random remember token for the user. This will be
+  changed every time the user creates a new session.
+
+	By changing the cookie every new session, any hijacked sessions
+	(where the attacker steals a cookie to sign in as a certain 
+	user) will expire the next time the user signs back in.
+ 
+  The random string is of length 16 composed of A-Z, a-z, 0-9
+	This is the browser's cookie value.
+
+=end
+ 
   def User.new_remember_token
     SecureRandom.urlsafe_base64
   end
-	
-	# encrypt the remember token
+
+=begin
+
+	Encrypt the remember token.
+	This is the encrypted version of the cookie stored on
+  the database.
+
+	The reasoning for storing a hashed token is so that even if
+	the database is compromised, the atacker won't be able to use
+	the remember tokens to sign in.
+
+=end
+
   def User.hash(token)
     Digest::SHA1.hexdigest(token.to_s)
   end