How to provide secure flag (HTTPS-only) for session cookie in Rails application be accessed over secure SSL channels?

Question

I am using :active_record_store for session_store in Rails 4.1.1 application. I need to make session cookie secure (HTTPS only) in my application. Tried below code in development enviroment, but did not work for me.

MyApp::Application.config.session_store :session_store, key: '_session_id', secure: true

config.force_ssl = true: makes all cookie(s) as secure whcih is not  requirement.

How can I set Secure flag for cookie by default in application configuration so that it instructs the browser that the cookie can only be accessed over secure SSL channels?

@Khaja Bhanu Mohd Did u find the configuration to be put – Richa Sinha Nov 02 '18 at 06:18 — Richa Sinha, Nov 02 '18 at 06:18

Kedarnag Mukanahallipatna · Answer 1 · 2018-08-08T07:48:20.550

1

To flag the session cookie as secure you can do this,

MyApp::Application.config.session_store :cookie_store,
  key: "_session_id",
  secret: "your_secret",
  secure: Rails.env.development?,
  httponly: true

config.session_store is usually set up in config/initializers/session_store.rb and specifies what class to use to store the session. Possible values are :cookie_store which is the default, :mem_cache_store, and :disabled. The last one tells Rails not to deal with sessions.

edited Aug 08 '18 at 07:48

answered Aug 08 '18 at 07:19

Kedarnag Mukanahallipatna

2,249
1
11
16

This answer did not help because we use :session_store for sessions. – Khaja Bhanu Mohd Aug 08 '18 at 07:34

How to provide secure flag (HTTPS-only) for session cookie in Rails application be accessed over secure SSL channels?

1 Answers1