7

When I access document.cookie in Javascript, it spits out, say:

'user_credentials=5beea8874f2db9feb873828'

Basically, what appears to be some encoded information. Fine.

When I look at the headers, I do see that exact same string being set to user_credentials, but there's also another value being set for _myapplication_session=BAh7CiIQX. Unlike with user_credentials, this one includes capital letters and letters after F.

So:

  • What is _myapplication_session? Is this related to the session object in Rails?
  • Why doesn't _myapplication_session show up with Javascript document.cookie?
Steven
  • 17,796
  • 13
  • 66
  • 118
  • `user_credentials` apparently is a string containing hexadecimal numbers. – Marcel Korpel Jan 23 '11 at 18:47
  • I'm perfectly willing to accept that the data contained within is some base 64 representation of some encrypted information that is decoded server-side. I'm asking about its relationship to `document.cookie`—namely, why it doesn't show up. I'm also asking about its relationship to the Rails-side `cookie` and `session` objects. – Steven Jan 23 '11 at 19:04

1 Answers1

6

What is _myapplication_session? Is this related to the session object in Rails?

Yes, this is the way Rails identifies user sessions.

Why doesn't _myapplication_session show up with Javascript document.cookie?

I believe Rails sets httponly=>true on session cookies, which means they are (generally) not accessible using client-side scripts, as described in this SO thread.

Community
  • 1
  • 1
zetetic
  • 47,184
  • 10
  • 111
  • 119