Suganya Selvarajan
Suganya Selvarajan

Reputation: 1092

Rails : Secure Session Cookies

I have a rails application which does not have User Interface for sign in. User sign in is done by another application and sessions are created. We use Devise for authentication. Now when we check the session, the secure flag is set to false.

As per my research, I tried to set secure flag in config/initializers/session_store.rb

My::Application.config.session_store :cookie_store, :key => '_MyApp_session', :secure => true

and restarted the server. And then I checked my session object which still has the secure flag false.

Also when I stopped my application in debugger and typing session outputs

#<ActionDispatch::Request::Session:0x6f43200 not yet loaded>

So I did

session[:init] = true

and then checking the secure flag.

How can I secure my session object?

Also other cookies have the secure attribute true in cloud but in my local it does not show secure: true..

Upvotes: 1

Views: 2120

Answers (1)

Gabor Lengyel
Gabor Lengyel

Reputation: 15599

The secure flag makes the cookie only be sent by the browser over https connections and not plain http.

If your environment is not https, the secure flag doesn't make sense, and it won't effectively be set. So you can only test this over https.

Upvotes: 3

Related Questions