How can I make cookies secure (https-only) by default in rails? How can I make cookies secure (https-only) by default in rails? ruby-on-rails ruby-on-rails

How can I make cookies secure (https-only) by default in rails?


ruby-on-rails ssl cookies https ruby-on-rails-5

There's no need to monkeypatch ActionController/ActionDispatch, and force_ssl has side effects (e.g. when behind an ELB).

The most straightforward way to achieve secure cookies is to modify config/initializers/session_store.rb:

MyApp::Application.config.session_store(   :cookie_store,   key: '_my_app_session',  secure: Rails.env.production?)

ruby-on-rails ssl cookies https ruby-on-rails-5

starting with rails 3.1, according to the rails security guide, you can simply set the following in your application.rb:

config.force_ssl = true

this forces the cookie to be sent over https only (and I assume everything else, too).

ruby-on-rails ssl cookies https ruby-on-rails-5

Thanks @knx, you sent me down the right path. Here's the monkeypatch I came up with, which seems to be working:

class ActionController::Response  def set_cookie_with_security(key, value)    value = { :value => value } if Hash != value.class    value[:secure] = true    set_cookie_without_security(key, value)  end  alias_method_chain :set_cookie, :securityend

What do you think?

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last