How to secure a Rails app against Firesheep?

Looks pretty good to me. It's pretty similar in Rails 3, though by default the session config is stored in config/initializers/session_store.rb. I usually tweak mine to look something like...

MyApp::Application.config.session_store :cookie_store, :key => '_my_app_session',                                                       :secure => Rails.env == 'production', # Only send cookie over SSL when in production mode                                                       :httponly => true, # Don't allow Javascript to access the cookie (mitigates cookie-based XSS exploits)                                                       :expire_after => 60.minutes

And the secret is held in config/initializers/secret_token.rb:

MyApp::Application.config.secret_token = 'secret secrets are no fun...'

If you have access to your Apache (or whatever) config, you can also force SSL usage at that level. Strikes me as a more appropriate place to do that, but I guess not everyone has that option.

Seeing as this SO post ranks pretty high in Google I thought I'd share the approach I used for securing an app.

If you want to ensure SSL and also ensure secure cookies then you could use a Rack middleware:

https://github.com/tobmatth/rack-ssl-enforcer

I evaluated lots of different options and configuration settings for doing this but the rack middleware felt like the best option with the least amount of config - very easy to deploy. It has some great config options to filter specific rules, hosts, paths etc.

I tested that it does indeed set secure cookies correctly and it does. The one thing I noted was it only did it when logging out and logging in again - but that was using Devise.