Optionally sign or encrypt cookie

[rchekaluk]

This change fixes #48 by optionally signing or encrypting the cookie. Although #48 primarily concerns signing, I also added encryption support for completeness (though as mentioned here, this is technically not necessary).

Two new configuration parameters are defined: sign_cookie, encrypt_cookie. Both default to false for backwards compatibility.

sign_cookie	encrypt_cookie	Behavior
false	false	Cleartext cookie
false	true	Encrypted cookie
true	false	Signed cookie
true	true	Encrypted cookie

The tests succeed under Rails 4, 5, and 6.

[sikachu]

I have yet to review the code yet, but just want to give you a heads up that I'll be cutting a new patch version first since we're overdue for one, and this feature can go with the next minor version.

[rchekaluk]

Ping @sikachu ?

[sikachu]

@rafaelfranca what do you think about this feature? I forgot that it's here for about a year now ...

Do you think this is a good feature to have?

[rchekaluk]

Ping @sikachu ? This seems like a solid addition to the gem.

[rchekaluk]

Hi @sikachu @rafaelfranca this PR has been updated for all rubies and Rails declared in its GitHub Actions workflow.

If possible, it would be appreciated if you would let us know if you intend to accept this PR or not.

[hibachrach]

This patch helps block a security footgun. If anything, it should default to signing and/or encrypting values. Anything I can do to help move this forward?