0

I have a Rails 2 application. And I want to set the session cookie to secure. By default it will be http only.To implement the same, I added the :secure=> true in config/initializers/session_store.rb as below:

ActionController::Base.session = {
  :key         => '_app_session',
  :secret      => '123.......',  
  :secure      => true
}

But it does not work. However, the same thing works well in Rails 3.

vipul Kumar
  • 39
  • 6
  • Possible duplicate of [How can I make cookies secure (https-only) by default in rails?](http://stackoverflow.com/questions/3773605/how-can-i-make-cookies-secure-https-only-by-default-in-rails) – lcguida Oct 21 '16 at 07:27
  • @lcguida: thanks for the link of possible duplicate question. However in that, none of them works for Rails 2 application. – vipul Kumar Oct 21 '16 at 09:58
  • 1
    @vipulKumar Secure cookies are https only. So it may only work when you access the application with a HTTPS url. What exactly "does not work"? – nvugteveen Oct 21 '16 at 11:00
  • @nvugteveen: My application has https url only. I want my 'session' cookie to be secure. If I do the configurations as above, it does not make my session cookie secure. However the same configuration makes the cookie secure in Rails 3/4 – vipul Kumar Oct 21 '16 at 11:49
  • @vipulKumar What do you mean by "secure"? Are you trying to prevent tampering, or trying to prevent users from reading the contents of the cookie? – user229044 Oct 21 '16 at 12:57

1 Answers1

0

This worked for me in the past. In config/environment.rb:

config.action_controller.session = {
  :session_key => '_app_session',
  :secret      => '123.......',
  :secure      => true
}
ndipiazza
  • 69
  • 3