Hacker News new | past | comments | ask | show | jobs | submit login

As far as I'm Rails doesn't use secure-flag cookies by default; you need to have something like this in config/initializers/session_store.rb:

  local_env = !(Rails.env.test? || Rails.env.development?)
  MyApp::Application.config.session_store(:cookie_store, {
    key:    '_my_app_session',
    secure: local_env, # ... or just true
  })
Yes, somebody who has gone looking for this can find it, but I'd argue that Rails should at least give you the secure: ... option in a comment block. Anything less is just inviting people to get bitten by the lack of it.



You can set config.force_ssl = true to easily enable secure session cookies and strict transport security amongst other things.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: