Set “secure” flag on session cookie in RoR even over HTTP

后端 未结 3 2199
没有蜡笔的小新
没有蜡笔的小新 2021-02-20 14:39

In a Rails app, the session cookie can be easily set to include the secure cookie attribute, when sending over HTTPS to ensure that the cookie is not leaked over a

3条回答
  •  感情败类
    2021-02-20 15:42

    Secure cookies are not sent over non-secure connections by definition.

    Terminating SSL upstream is quite common, but you need to pass certain header fields through so that Rails knows and can do the right thing.

    Here's a document that explains the configuration in pretty good detail for nginx. Search for "Set headers" to jump to the section describing the specific headers you need to pass through.

    There are security considerations using this configuration, e.g., if the device terminating SSL is not on the same secure LAN as the Rails host, then you have a vulnerability.

提交回复
热议问题