Make cookies more secure in Ruby On Rails
This subject is really not very often highlighted in rails security docs, even in the official guide.
We’re often happy with the basic cookie store options :
Anyway, secure websites (like e-commerce sites) must include some more secure options. Cookies have two attributes people usually don’t use :
- Secure : “A server can specify thesecure flag while setting a cookie; the browser will then send it only over a secure channel, such as an SSL connection.”
- Expires : “Cookies expire, and are therefore not sent by the browser to the server, under any of these conditions: […] An expiration date has been specified, and has passed.”
(Definition taken from Wikipedia)
The last means the session AND the cookie will expire after the given date. It’s generally a good idea to set this option, unless you’re running facebook.com, people won’t spend more than 1 hour on you site per day.
To enable these 2 options, you can use the configuration in config/environment.rb :
You should set the secure option per environment, otherwise your dev environment will fail. To do so, you can add a line in each secure environment :
