I have Rails application, which is running on https. My application session cookies are http-only. How to set those cookies as secure and https-only in rails?
Asked
Active
Viewed 1.1k times
1 Answers
13
Rails 3/4
If you want to flag the session cookie as secure, in config/initializers/session_store.rb, set the secure flag:
Demo::Application.config.session_store :cookie_store,
key: '_demo_session',
secret: "your secret",
secure: Rails.env.production?, # flags cookies as secure only in production
httponly: true # should be true by default for all cookies
If you want to flag all cookies as secure, add config.force_ssl = true in the desired config/environments/*.rb file. This feature adds other functionality to your Rails app, summarized here.
-
@Srinivas Yadav I also created a minimalist rack middleware you can use to set the secure flag on all your session cookies: https://github.com/jmera/secure_cookies – jmera Jul 11 '15 at 16:23
-
1`config.force_ssl = true` unless you do the SSL via your load balancer – Tilo Mar 30 '17 at 00:20
-
I am using Nginx and when I set `secure: true` the cookie doesn't appear as secure in the browser dev-cookies view. I wonder why. – Hairi May 29 '19 at 17:40
-
Just an FYI for future readers, you can also specify `same_site: "Strict"`. – theblang Dec 08 '20 at 23:15