From 3425bfd0f56495b7d8d9f86ac740fcf90f0fbfdb Mon Sep 17 00:00:00 2001
From: DavisLWebb <davislwebb@ymail.com>
Date: Mon, 3 Mar 2014 13:52:38 -0500
Subject: I added a lot of documentation to user.rb

---
 app/models/user.rb | 30 +++++++++++++++++++++++++++---
 1 file changed, 27 insertions(+), 3 deletions(-)

(limited to 'app/models/user.rb')

diff --git a/app/models/user.rb b/app/models/user.rb
index f302baf..53ccdaf 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -81,12 +81,36 @@ has_secure_password which does all of this for me
 
 	validates :password, length: { minimum: 6 }
 
-	# create a random remember token for the user
+=begin
+
+	Create a random remember token for the user. This will be
+  changed every time the user creates a new session.
+
+	By changing the cookie every new session, any hijacked sessions
+	(where the attacker steals a cookie to sign in as a certain 
+	user) will expire the next time the user signs back in.
+ 
+  The random string is of length 16 composed of A-Z, a-z, 0-9
+	This is the browser's cookie value.
+
+=end
+ 
   def User.new_remember_token
     SecureRandom.urlsafe_base64
   end
-	
-	# encrypt the remember token
+
+=begin
+
+	Encrypt the remember token.
+	This is the encrypted version of the cookie stored on
+  the database.
+
+	The reasoning for storing a hashed token is so that even if
+	the database is compromised, the atacker won't be able to use
+	the remember tokens to sign in.
+
+=end
+
   def User.hash(token)
     Digest::SHA1.hexdigest(token.to_s)
   end
-- 
cgit v1.2.3