Reputation: 1092
Rails : Secure Session Cookies
I have a rails application which does not have User Interface for sign in. User sign in is done by another application and sessions are created. We use Devise for authentication. Now when we check the session, the secure flag is set to false.
As per my research, I tried to set secure flag in config/initializers/session_store.rb
My::Application.config.session_store :cookie_store, :key => '_MyApp_session', :secure => true
and restarted the server. And then I checked my session object which still has the secure flag false.
Also when I stopped my application in debugger and typing session outputs
#<ActionDispatch::Request::Session:0x6f43200 not yet loaded>
So I did
session[:init] = true
and then checking the secure flag.
How can I secure my session object?
Also other cookies have the secure attribute true in cloud but in my local it does not show secure: true..
Upvotes: 1
Views: 2120
Answers (1)
Reputation: 15599
The secure flag makes the cookie only be sent by the browser over https connections and not plain http.
If your environment is not https, the secure flag doesn't make sense, and it won't effectively be set. So you can only test this over https.
Upvotes: 3
Related Questions
- Cookies without authentication ? (and cookie value)
- Set session cookie as secure in rails
- How do sessions and cookies work in Rails?
- How does rails/devise handle cookie sessions?
- Secure session cookies for rails application
- Devise - how does it set session cookies?
- Rails Session Management
- Ruby on Rails security regarding session cookies
- Security Model in Rails Question
- Security of Cookie-based sessions