Forum: Ruby on Rails Does session_secure work?

6122ae139470e3776aa36316296f87a3?d=identicon&s=25 Cynthia Kiser (Guest)
on 2010-02-03 03:10
(Received via mailing list)
I am trying to get session cookies set so they are only returned over
ssl
connections. I looked in AWDWR and see there is a parameter
:session_secure.
The book says 'If true, sessions will be enabled only over https://' The
example code in that section of the book shows:

class ApplicationController < ActionController::Base
  session :session_key => 'somekey_text'
end

So I tried setting
   session :session_secure => true in ApplicationController. No change.

I found this post
http://www.rorsecurity.info/journal/2007/4/12/sess... on
session hijacking that suggested:

To instruct the browser only to send the cookie over encrypted HTTPS and
never over normal HTTP, you have to include the following line in the
confg/environment.rb file.

ActionController::Base.session_options[:session_secure] = true
*
*I tried that (and yes, restarted my server) but no change. My Rails
version
is 2.3.5

I am trying to verify things by looking at the cookie information in the
Firefox preferences pane. I have some cookies that report "Send For:
Encrypted connections only" but no matter what I set in my rails app,
that
cookie says "Send For: Any type of connection".

Don't think it should matter, but I am testing with Apache2 proxying to
Mongrel. My production hosting will be Apache + passenger.

This is driving me mad. Thanks in advance,

--
Cynthia Kiser
cynthia.kiser@gmail.com
81b61875e41eaa58887543635d556fca?d=identicon&s=25 Frederick Cheung (Guest)
on 2010-02-03 09:24
(Received via mailing list)
On Feb 3, 2:08 am, Cynthia Kiser <cynthia.ki...@gmail.com> wrote:
>
> ActionController::Base.session_options[:session_secure] = true
> *
> *I tried that (and yes, restarted my server) but no change. My Rails version
> is 2.3.5

The names of the session options changed in 2.3. Try just :secure
instead

Fred
6122ae139470e3776aa36316296f87a3?d=identicon&s=25 Cynthia Kiser (Guest)
on 2010-02-03 23:36
(Received via mailing list)
> The names of the session options changed in 2.3. Try just :secure
> instead
>

Thank you Fred. That was just the ticket! In config/environment.rb:

ActionController::Base.session_options[:secure] = true

--
Cynthia Kiser
cynthia.kiser@gmail.com
A28d8b05407e18b5db6dfe410034a124?d=identicon&s=25 Noha MS (noha)
on 2012-10-30 21:09
I tried
ActionController::Base.session_options[:secure] = true
and the session cookie is not set at all. I'm in 2.3.8
If I set it to false everything works fine but if it's true the server
never sets the cookie even if the request is over https (although my
understanding is that it should set it anyway)
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.