Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> Especially when cookies are easily stolen using something like Firesheep

Who in late 2013 (with enough clue to care about this issue) is still using non-secure-flag cookies for anything even remotely important?!



As far as I'm Rails doesn't use secure-flag cookies by default; you need to have something like this in config/initializers/session_store.rb:

  local_env = !(Rails.env.test? || Rails.env.development?)
  MyApp::Application.config.session_store(:cookie_store, {
    key:    '_my_app_session',
    secure: local_env, # ... or just true
  })
Yes, somebody who has gone looking for this can find it, but I'd argue that Rails should at least give you the secure: ... option in a comment block. Anything less is just inviting people to get bitten by the lack of it.


You can set config.force_ssl = true to easily enable secure session cookies and strict transport security amongst other things.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: