Reputation: 1092
I have a rails application which does not have User Interface for sign in. User sign in is done by another application and sessions are created. We use Devise for authentication. Now when we check the session, the secure flag is set to false.
As per my research, I tried to set secure flag in config/initializers/session_store.rb
My::Application.config.session_store :cookie_store, :key => '_MyApp_session', :secure => true
and restarted the server. And then I checked my session object which still has the secure flag false.
Also when I stopped my application in debugger and typing session outputs
#<ActionDispatch::Request::Session:0x6f43200 not yet loaded>
So I did
session[:init] = true
and then checking the secure flag.
How can I secure my session object?
Also other cookies have the secure attribute true in cloud but in my local it does not show secure: true..
Upvotes: 1
Views: 2120
Reputation: 15599
The secure flag makes the cookie only be sent by the browser over https connections and not plain http.
If your environment is not https, the secure flag doesn't make sense, and it won't effectively be set. So you can only test this over https.
Upvotes: 3