Blossom the lovely stars, the forget-me-nots of the angels

“Silently, one by one, in the infinite meadows of Heaven, Blossom the lovely stars, the forget-me-nots of the angels.” Evangeline by Henry Wadsworth Longfellow

You’re writing a Rails app. You want users to be able to sign in.

You decide to use Clearance.

How do you expect it to handle “remember me” out of the box?

Remember unchecked by default

Basecamp:

Gmail:

Remember me checked by default

Eventbrite:

No remember me, automatically sets a cookie

Github:

Tumblr:

What should an authentication framework prefer?

Right now, Clearance comes with remember unchecked by default. I’m leaning towards changing it to checked by default.

What do you think?

Built-in XSS protection in rails will confuse you

If you do rails development of multiple applications simultaneously on a machine that you access with one hostname – but using different ports for the different applications – you might end up with a problem.

The problem will be that you’ll have a cookie set in your browser which ties you into a session for one of the applications, and then you’ll try to hit the second application, and you’ll get an empty screen and a 403 error in the logs, with little else to go on.

This is a little-documented built-in defense against cross site scripting, but you won’t know that when you keep getting empty screens back from your otherwise correct application.

You can solve this by either deleting your cookies for that domain/host, or by deleting the session store for the applications.