Shouldn't Rails add the secure flag automatically for the cookie store when request.ssl?
972 views
Skip to first unread message
Rodrigo Rosenfeld Rosas
Sep 1, 2016, 9:14:34 AM9/1/16
to Ruby on Rails: Core
Hi, currently Rails apps will have something like this by default in the
initializers:
Rails.application.config.session_store :cookie_store, key: '_my_app_session'
This will not set the "secure" flag in the _my_app_session cookie. It
can be set by providing the {secure: true} option to session_store, but
this happens at boot time rather than at request time. This has two
problems in my opinion:
1 - Rails isn't safe by default (to the extent of an secure cookie);
2 - It's not possible to serve the same application over different
domains when one of them is served over HTTPS and other over HTTP
(unless insecure cookies are used for both); this could be useful for
some multi-tenant applications that will customize any views or behavior
based on the request's domain, while some clients are willing to use a
certificate while others are not (maybe managing free Let's Encrypt
certificates would not be desired and not all clients are willing to pay
for the certificates).
To fix the second case, Rails could introduce a {secure: :if_ssl} or
{conditionally_secure: true} option to allow the secure flag to be set
if request.ssl? is true. The first case would be fixed making this
option the default one.
What do you think?
Best,
Rodrigo.
initializers:
Rails.application.config.session_store :cookie_store, key: '_my_app_session'
This will not set the "secure" flag in the _my_app_session cookie. It
can be set by providing the {secure: true} option to session_store, but
this happens at boot time rather than at request time. This has two
problems in my opinion:
1 - Rails isn't safe by default (to the extent of an secure cookie);
2 - It's not possible to serve the same application over different
domains when one of them is served over HTTPS and other over HTTP
(unless insecure cookies are used for both); this could be useful for
some multi-tenant applications that will customize any views or behavior
based on the request's domain, while some clients are willing to use a
certificate while others are not (maybe managing free Let's Encrypt
certificates would not be desired and not all clients are willing to pay
for the certificates).
To fix the second case, Rails could introduce a {secure: :if_ssl} or
{conditionally_secure: true} option to allow the secure flag to be set
if request.ssl? is true. The first case would be fixed making this
option the default one.
What do you think?
Best,
Rodrigo.
Florian Wininger
Sep 7, 2016, 12:57:34 PM9/7/16
to Ruby on Rails: Core
Hi, if you want to use only HTTPS with all secure options, I recommend you to uncomment the default production environment option in config/environments/production.rb :
# Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
# config.force_ssl = true
Rails provide the complete secure HTTPS stack :
- secure flag in session cookie,
- Http Strict-Transport-Security,
- redirect http to htttps.
Cheers,
Florian
# Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
# config.force_ssl = true
Rails provide the complete secure HTTPS stack :
- secure flag in session cookie,
- Http Strict-Transport-Security,
- redirect http to htttps.
Cheers,
Florian
Rodrigo Rosenfeld Rosas
Sep 8, 2016, 7:37:28 AM9/8/16
to rubyonra...@googlegroups.com
Unfortunately this won't work for the cases where the same application serves multiple domains but only some of them have an SSL certificate. Also it can't be enabled by default since not everyone is serving over HTTPS. What I suggested can be enabled by default out of the box improving security a little bit by default without breaking http apps.
--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at https://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages