[ACCEPTED]-How do I set the HttpOnly flag on a cookie in Ruby on Rails-ruby
Set the 'http_only' option in the hash used 1 to set a cookie
e.g.
cookies["user_name"] = { :value => "david", :httponly => true }
or, in Rails 2:
e.g.
cookies["user_name"] = { :value => "david", :http_only => true }
Re Laurie's answer:
Note that the option 4 was renamed from :http_only to :httponly (no underscore) at 3 some point.
In actionpack 3.0.0, that is, Ruby 2 on Rails 3, all references to :http_only are gone.
That 1 threw me for a while.
If you’ve a file called config/session_store.rb 3 including this line (Rails 3+), then it’s 2 automatically set already.
config/initializers/session_store.rb:
# Be sure to restart your server when you modify this file.
Rails.application.config.session_store :cookie_store, key: "_my_application_session"
Also rails allows 1 you to set following keys:
:expires - The time at which this cookie expires, as a Time object.
:secure - Whether this cookie is only transmitted to HTTPS servers. Default is false.
I also wrote a patch that is included in 3 Rails 2.2, which defaults the CookieStore 2 session to be http_only.
Unfortunately session 1 cookies are still by default regular cookies.
More Related questions
We use cookies to improve the performance of the site. By staying on our site, you agree to the terms of use of cookies.