Devise - how does it set session cookies?

Question

I have a scenario where I need to NOT set a session on HTTP, instead only setting it on HTTPS pages. The issue at the moment is that we are sharing the session string between HTTPS and HTTP.

I.e. if you visit our HTTP page, you are assigned a session string (unsecured). When you visit one of our HTTPS pages, it uses the same session string. They are shared across both. We don't want people to be able to snoop the session string across unencrypted connections.

Can someone point me to some reading, or doco around how I could achieve something like this? Even WHERE to look - I'm a bit stumped. Can't find much

Answer 1

rails session data is stored in cookies by default, it sounds like you want to use SSL only cookies ?

UPDATED: try adding secure: true in your config/initializers/session_store.rb file, i.e.

secure_option = (Rails.env.development? || Rails.env.test?) ? false : true
YourApp::Application.config.session_store :cookie_store, { key: '_xxxx_session', secure: secure_option }

Devise should use the rails setting when generating cookies

---

original answer

in your config/initializers/devise.rb file there should be a line that looks like this

 # :secure => true in order to force SSL only cookies.

try adding to config.rememberable_options and restarting rails - NOTE: in development mode that is not what you are going to want, you might be able to do

secure_option = (Rails.env.development? || Rails.env.test?) ? false : true
config.rememberable_options = { :secure => secure_option }

see also:

• http://railscasts.com/episodes/356-dangers-of-session-hijacking
• https://github.com/plataformatec/devise/wiki/How-To:-Use-SSL-(HTTPS)

Answer 2

If you want to modify the session cookie you will will have to modify them in a warden callback see this thread and this blog post

Alternatively, you can use a separate cookie. RailsCast here.