Skip to content

Add Dangerfile reminder when setting cookies server-side

Andrew Evans requested to merge 477321-atevans-danger-cookies into master

What does this MR do and why?

If a developer sets a cookie from Rails with a :domain attribute, they must remember to un-set this cookie when a user signs out. This can be hard to remember to do.

This change adds a Danger bot reminder whenever setting cookies is detected in application code, and also documentation of development guidelines when working with cookies.

Primary issue: #477321 (closed)

Previous discussion in: !156213 (comment 2012279812)

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After
Screenshot_2024-08-09_at_4.24.40_PM

How to set up and validate locally

  1. Check out a new branch off of this one
  2. Add this line of code to any controller action: cookies[:favorite_animal] = 'opossum'
  3. Commit the change
  4. run rails danger_local to run Danger locally
  5. You should see the message It looks like you are setting a server-side cookie. Please note... in the Markdown: section of the output from this command

Related to #477321 (closed)

Merge request reports

Loading