How do I set the HttpOnly flag on a cookie in Ruby on Rails

Question

The page Protecting Your Cookies: HttpOnly explains why making HttpOnly cookies is a good idea.

How do I set this property in Ruby on Rails?

Answer 1

If you’ve a file called config/session_store.rb including this line (Rails 3+), then it’s automatically set already. config/initializers/session_store.rb:

# Be sure to restart your server when you modify this file.
Rails.application.config.session_store :cookie_store, key: "_my_application_session"

Also rails allows you to set following keys:

:expires - The time at which this cookie expires, as a Time object.

:secure - Whether this cookie is only transmitted to HTTPS servers. Default is false.

Answer 2

Re Laurie's answer:

Note that the option was renamed from :http_only to :httponly (no underscore) at some point.

In actionpack 3.0.0, that is, Ruby on Rails 3, all references to :http_only are gone.

That threw me for a while.

Answer 3

Set the 'http_only' option in the hash used to set a cookie

e.g.

cookies["user_name"] = { :value => "david", :httponly => true }

or, in Rails 2:

e.g.

cookies["user_name"] = { :value => "david", :http_only => true }

Answer 4

I also wrote a patch that is included in Rails 2.2, which defaults the CookieStore session to be http_only.

Unfortunately session cookies are still by default regular cookies.

Answer 5

Just set :http_only to true as described in the changelog.