How to Set the Httponly Flag on a Cookie in Ruby on Rails

How do I set the HttpOnly flag on a cookie in Ruby on Rails

Set the 'http_only' option in the hash used to set a cookie

e.g. 

cookies["user_name"] = { :value => "david", :httponly => true }

or, in Rails 2:

e.g. 

cookies["user_name"] = { :value => "david", :http_only => true }

Set secure flag on session cookie in RoR even over HTTP

Secure cookies are not sent over non-secure connections by definition.

Terminating SSL upstream is quite common, but you need to pass certain header fields through so that Rails knows and can do the right thing.

Here's a document that explains the configuration in pretty good detail for nginx. Search for "Set headers" to jump to the section describing the specific headers you need to pass through.

There are security considerations using this configuration, e.g., if the device terminating SSL is not on the same secure LAN as the Rails host, then you have a vulnerability.

How do I set the session cookie's HttpOnly setting to false?

I figured this out. In /config/environment.rb include this code:

  config.action_controller.session = {
    :httponly => false
  }

Ruby On Rails - Brakeman: Session cookies should be set to HTTP only

By default, Rails sets the HTTPOnly flag on session cookies. This flag disallows JavaScript from reading the cookie (see here for details) and thus prevents cross-site scripting attacks from accessing the cookie. In the case of session cookies, it prevents the stealing/hijacking sessions via cross-site scripting.

Setting httponly: false in the session store options turns off this protection. You can either set it to true or don't set it at all (in which case the default is still true).

However, if an application needs to access the session cookie from JavaScript for some reason, then you have to turn off the httponly option. This should be pretty rare, however.

How can I make cookies secure (https-only) by default in rails?

Thanks @knx, you sent me down the right path. Here's the monkeypatch I came up with, which seems to be working:

class ActionController::Response
  def set_cookie_with_security(key, value)
    value = { :value => value } if Hash != value.class
    value[:secure] = true
    set_cookie_without_security(key, value)
  end
  alias_method_chain :set_cookie, :security
end

What do you think?


Related Topics

Rails: Difference Between Env.Fetch() and Env[]

Iterate Over Days, Starting from X Date Through an End Date

Rails: Url/Path with Parameters

Decoding Facebook's Signed Request in Ruby/Sinatra

How to Ignore or Skip a Test Method Using Rspec

Using Public_Activity with Acts_As_Follower and Devise, How to Show Only the User's Activities and Those of the People He Follows

Xpath Parent Attribute of Selection

Reduce Hash Values

Ruby on Rails with Imap Idle for Multiple Accounts

Why Does Ruby Use Respond_To? Instead of Responds_To

Rails Class << Self

How to Negate a Scope in Rails

Rails: Path of File

Is There a Ruby One-Line "Return If X"

Programmatically Getting Full Ruby Version

How to Resolve Deprecation Warnings for Openssl::Cipher::Cipher#Encrypt

Require 'Rubygems'

Ruby on Rails Named Scope Implementation


Leave a reply



Submit