Rails 2.2.3 secure/http_only session cookie
12 views
Skip to first unread message
Scott H.
Dec 30, 2014, 4:45:37 PM12/30/14
to rubyonra...@googlegroups.com
I'm way behind the times.
I've finally got the go ahead from corporate to start an upgrade of
our ROR application from 1.2.6.
I'm first upgrading to Rails 2.2.3 which has not been too bad but I
have a question around http_only and secure session cookie using
:active_record_store.
I understand that :session_http_only by default is set to TRUE but it
appears to be ignored while :session_secure is FALSE.
I'm using this at the bottom of environment.rb to turn on the secure
flag.
ActionController::Base.session_options[:session_secure] = true
When secure is turned off (FALSE) I CAN access the session cookie via
javascript in the browser.
When secure is turned on (TRUE) I CANNOT access the session cookie via
javascript.
This does not apply to other cookies - just the session cookie.
<P>Was this a known issue?
--
Posted via http://www.ruby-forum.com/.
I've finally got the go ahead from corporate to start an upgrade of
our ROR application from 1.2.6.
I'm first upgrading to Rails 2.2.3 which has not been too bad but I
have a question around http_only and secure session cookie using
:active_record_store.
I understand that :session_http_only by default is set to TRUE but it
appears to be ignored while :session_secure is FALSE.
I'm using this at the bottom of environment.rb to turn on the secure
flag.
ActionController::Base.session_options[:session_secure] = true
When secure is turned off (FALSE) I CAN access the session cookie via
javascript in the browser.
When secure is turned on (TRUE) I CANNOT access the session cookie via
javascript.
This does not apply to other cookies - just the session cookie.
<P>Was this a known issue?
--
Posted via http://www.ruby-forum.com/.
Reply all
Reply to author
Forward
0 new messages