Hi,
I m using cookies on my website, so my user don t have to login each
time…
But there is a security hole behind that, it s why i would like to
know is it possible de send and check the cookies using HHTPS … ?
Ii guess it could help many people to secure their web application…
Thks,
Guillaume.
Differenthink wrote:
when you set your cookie, pass :secure => true
http://ap.rubyonrails.com/classes/ActionController/Cookies.html
If I understood your question correctly.
Thanks for you answer,
So only this params make my cookies transaction secured ?
(seems to easy)
On 9 août, 22:30, Dave C. [email protected]
Differenthink wrote:
So only this params make my cookies transaction secured ?
(seems to easy)
Just means that the server can only read the cookie from the browser
over an https connection. Don’t believe the cookie data is stored any
differently on the client side.
Hum well it works, my cookies is secured… but when i want to get its
value back, doesn t work any more… i guess there is something else
to do ?
Thks for helping
Well ok… so it seems i ve to find a way to get it back from a secure
https connection… but don t know how to handle that…
if anyone have an idea ?
On 9 août, 22:59, Dave C. [email protected]
On Aug 9, 5:09 pm, Differenthink [email protected] wrote:
Well ok… so it seems i ve to find a way to get it back from a secure
https connection… but don t know how to handle that…
Is the domain name between the unsecured and secured site the same?
That is my problem, i dont actually have a secured site… let me
explain to you :
I use cookie to avoid my user to always login… so when they go to my
website, i check if they have the cookie, and if they do, i put their
login in a session…
Why do i want security ?
because cookies are king of security hole, so i would like to be able
to transmit them and received them via secured way, i guess it s
HTTPS, but i ve no idea of how to implement it… if you could explain
to me,
(i don t all my site https, but also i ve to check if the cookies is
present, on any page, i actually do that in my application layout, via
an helper)
thx
Guillaume.
Differenthink wrote:
Well ok… so it seems i ve to find a way to get it back from a secure
https connection… but don t know how to handle that…if anyone have an idea ?
If you use Firefox as your browser, I’d suggest downloading and
installing the developer toolbar:
With it you can view your cookie data on the cookies button.
Cookies > View Cookie Information
There is also cookie monster:
To retrieve a cookie that has been set from https, you must be accessing
it from https. So, if the URL in your browser doesn’t start with https,
you wont be able to read it.
On Aug 9, 5:48 pm, Differenthink [email protected] wrote:
to me,
(i don t all my site https, but also i ve to check if the cookies is
present, on any page, i actually do that in my application layout, via
an helper)
Usually, if the domain name matches or you’re using a wildcard
(i.e. .domain.com instead of www.domain.com) then the browser will
automatically send cookies that match to your application. Not much
else to it.
Differenthink wrote:
to me,
(i don t all my site https, but also i ve to check if the cookies is
present, on any page, i actually do that in my application layout, via
an helper)
A cookie is sent for each request matching a set of rules, primarily the
hostname but also optionnaly the path and the fact that the contact
method is secure or not. If you send the cookie by HTTPS, you send your
request by HTTPS, you receive you response by HTTPS so you have a full
blown HTTPS site.
Lionel
"To retrieve a cookie that has been set from https, you must be
accessing
it from https. So, if the URL in your browser doesn’t start with
https,
you wont be able to read it. "
How can i do that if i check the cookie on any page through the
application layout… in that case which page has to be https, or can
only an action be https ??
On 9 août, 23:45, Dave C. [email protected]
Differenthink wrote:
"To retrieve a cookie that has been set from https, you must be
accessing
it from https. So, if the URL in your browser doesn’t start with
https,
you wont be able to read it. "
I’m not sure this is actually the case, cookies set without the secure
option should be readable on a plain connection if I read the RFC
correctly.
How can i do that if i check the cookie on any page through the
application layout… in that case which page has to be https, or can
only an action be https ??
A page and an action aren’t HTTPS. A page is (usually) HTML content that
you always return through the same means you got your request, it
doesn’t know if its http or https (or more accurately it shouldn’t need
to) . The action usually describes the code that performs pure
computations, in Rails it usually doesn’t bother with http and https,
this is the web server (Apache, lighttpd, nginx, …) which is in charge
of implementing the https protocol. The only link between https and
Rails are:
Lionel
thx for the answer… i think i ll not go deeper in integration of
secure cookies for my website…
On 10 août, 02:22, Lionel B. [email protected]
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.
Sponsor our Newsletter | Privacy Policy | Terms of Service | Remote Ruby Jobs