How can I make cookies secure (https-only) by default in rails?
There's no need to monkeypatch ActionController
/ActionDispatch
, and force_ssl
has side effects (e.g. when behind an ELB).
The most straightforward way to achieve secure cookies is to modify config/initializers/session_store.rb
:
MyApp::Application.config.session_store( :cookie_store, key: '_my_app_session', secure: Rails.env.production?)
starting with rails 3.1, according to the rails security guide, you can simply set the following in your application.rb
:
config.force_ssl = true
this forces the cookie to be sent over https only (and I assume everything else, too).
Thanks @knx, you sent me down the right path. Here's the monkeypatch I came up with, which seems to be working:
class ActionController::Response def set_cookie_with_security(key, value) value = { :value => value } if Hash != value.class value[:secure] = true set_cookie_without_security(key, value) end alias_method_chain :set_cookie, :securityend
What do you think?