Srinivas Yadav
Reputation: 101
Set session cookie as secure in rails
I have Rails application, which is running on https. My application session cookies are http-only. How to set those cookies as secure and https-only in rails?
Upvotes: 9
Views: 11672
Answers (1)
jmera
Reputation: 684
Rails 3/4
If you want to flag the session cookie as secure, in config/initializers/session_store.rb, set the secure flag:
Demo::Application.config.session_store :cookie_store,
key: '_demo_session',
secret: "your secret",
secure: Rails.env.production?, # flags cookies as secure only in production
httponly: true # should be true by default for all cookies
If you want to flag all cookies as secure, add config.force_ssl = true in the desired config/environments/*.rb file. This feature adds other functionality to your Rails app, summarized here.
Upvotes: 13
Related Questions
- How do I manually set cookie in rails app?
- How to force a secure cookie over HTTP with Rails
- How can I make cookies secure (https-only) by default in rails?
- Set "secure" flag on session cookie in RoR even over HTTP
- Cookie is not set when secure option is enabled in rails session_store configuration?
- Rails : Secure Session Cookies
- Secure session cookies for rails application
- Ruby on Rails security regarding session cookies
- Secure session cookie is not set
- How do I set HttpOnly on a session cookie in Rails 2.1?