How do I set the HttpOnly flag on a cookie in Ruby on Rails
Set the 'http_only' option in the hash used to set a cookie
e.g.
cookies["user_name"] = { :value => "david", :httponly => true }
or, in Rails 2:
e.g.
cookies["user_name"] = { :value => "david", :http_only => true }
Set secure flag on session cookie in RoR even over HTTP
Secure cookies are not sent over non-secure connections by definition.
Terminating SSL upstream is quite common, but you need to pass certain header fields through so that Rails knows and can do the right thing.
Here's a document that explains the configuration in pretty good detail for nginx. Search for "Set headers" to jump to the section describing the specific headers you need to pass through.
There are security considerations using this configuration, e.g., if the device terminating SSL is not on the same secure LAN as the Rails host, then you have a vulnerability.
How do I set the session cookie's HttpOnly setting to false?
I figured this out. In /config/environment.rb
include this code:
config.action_controller.session = {
:httponly => false
}
Ruby On Rails - Brakeman: Session cookies should be set to HTTP only
By default, Rails sets the HTTPOnly
flag on session cookies. This flag disallows JavaScript from reading the cookie (see here for details) and thus prevents cross-site scripting attacks from accessing the cookie. In the case of session cookies, it prevents the stealing/hijacking sessions via cross-site scripting.
Setting httponly: false
in the session store options turns off this protection. You can either set it to true
or don't set it at all (in which case the default is still true
).
However, if an application needs to access the session cookie from JavaScript for some reason, then you have to turn off the httponly
option. This should be pretty rare, however.
How can I make cookies secure (https-only) by default in rails?
Thanks @knx, you sent me down the right path. Here's the monkeypatch I came up with, which seems to be working:
class ActionController::Response
def set_cookie_with_security(key, value)
value = { :value => value } if Hash != value.class
value[:secure] = true
set_cookie_without_security(key, value)
end
alias_method_chain :set_cookie, :security
end
What do you think?
Related Topics
Rails: Difference Between Env.Fetch() and Env[]
Iterate Over Days, Starting from X Date Through an End Date
Rails: Url/Path with Parameters
Decoding Facebook's Signed Request in Ruby/Sinatra
How to Ignore or Skip a Test Method Using Rspec
Xpath Parent Attribute of Selection
Ruby on Rails with Imap Idle for Multiple Accounts
Why Does Ruby Use Respond_To? Instead of Responds_To
How to Negate a Scope in Rails
Is There a Ruby One-Line "Return If X"
Programmatically Getting Full Ruby Version
How to Resolve Deprecation Warnings for Openssl::Cipher::Cipher#Encrypt