Set “secure” flag on session cookie in RoR even over HTTP

Question

In a Rails app, the session cookie can be easily set to include the secure cookie attribute, when sending over HTTPS to ensure that the cookie is not leaked over a

Answer 1

The base issue is, that by definition of Set-Cookie, cookies with secure set may only be sent via secure connetions.
So not sending cookies with secure set over HTTP is the expected behavior.

You might want to set different cookie options in different environments. In config/environments/developent.rb you clould set

Rails.application.configure do
  config.session_store :cache_store, key: COOKIE_NAME, same_site: :none
end

and in production (config/environments/production.rb), where you deploy your site with HTTPS:

Rails.application.configure do
  config.session_store :cache_store, key: COOKIE_NAME, same_site: :lax, secure: true
end