Menu
I have Rails application, which is running on https. My application session cookies are http-only. How to set those cookies as secure and https-only in rails?
402
Mark cookies as Secure Response. Cookies. Add( new HttpCookie("key", "value") { Secure = true, }); That's it!
The cookie allows the server to identify the user and retrieve the user session from the session database, so that the user session is maintained. A cookie-based session ends when the user logs off or closes the browser. Cookie-based session management is secure and has performance benefits over alternatives.
The Secure flag is used to declare that the cookie may only be transmitted using a secure connection (SSL/HTTPS). If this cookie is set, the browser will never send the cookie if the connection is HTTP. This flag prevents cookie theft via man-in-the-middle attacks.
Cookies, Sessions and Flashes are three special objects that Rails gives you in which each behave a lot like hashes. They are used to persist data between requests, whether until just the next request, until the browser is closed, or until a specified expiration has been reached.
If you want to flag the session cookie as secure, in config/initializers/session_store.rb, set the secure flag:
Demo::Application.config.session_store :cookie_store,
key: '_demo_session',
secret: "your secret",
secure: Rails.env.production?, # flags cookies as secure only in production
httponly: true # should be true by default for all cookies
If you want to flag all cookies as secure, add config.force_ssl = true in the desired config/environments/*.rb file. This feature adds other functionality to your Rails app, summarized here.
200
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
