[ACCEPTED]-How do I set the HttpOnly flag on a cookie in Ruby on Rails-ruby

Accepted answer
Score: 38

Set the 'http_only' option in the hash used 1 to set a cookie


cookies["user_name"] = { :value => "david", :httponly => true }

or, in Rails 2:


cookies["user_name"] = { :value => "david", :http_only => true }
Score: 12

Re Laurie's answer:

Note that the option 4 was renamed from :http_only to :httponly (no underscore) at 3 some point.

In actionpack 3.0.0, that is, Ruby 2 on Rails 3, all references to :http_only are gone.

That 1 threw me for a while.

Score: 7

Just set :http_only to true as described 1 in the changelog.

Score: 4

If you’ve a file called config/session_store.rb 3 including this line (Rails 3+), then it’s 2 automatically set already. config/initializers/session_store.rb:

# Be sure to restart your server when you modify this file.
Rails.application.config.session_store :cookie_store, key: "_my_application_session"

Also rails allows 1 you to set following keys:

:expires - The time at which this cookie expires, as a Time object.

:secure - Whether this cookie is only transmitted to HTTPS servers. Default is false.

Score: 1

I also wrote a patch that is included in 3 Rails 2.2, which defaults the CookieStore 2 session to be http_only.

Unfortunately session 1 cookies are still by default regular cookies.

More Related questions