Wednesday, February 9, 2011

How do I set HttpOnly on a session cookie in Rails 2.1?

I notice that Rails 2.2 (currently edge) supports setting HttpOnly on the session cookie.

Is there a way of setting it on a Rails 2.1 application without moving to edge/2.2?

  • Set the http_only option to true in the cookie's options hash:

    cookies['visits'] = { :value => '20', :http_only => true }
    
    tomtaylor : Thanks John - that works for cookies that are set manually, but not for the session cookie.
    John Topley : Oh, sorry - I didn't read the question closely enough!
  • Well it isn't supported, as you note, but you can of course monkey-patch Rails to do what you want. Actually, the difference between directly patching your Rails v. monkey-patching in this case is very little, as either would be removed/reverted when you upgrade to 2.2.

    In both cases you would look at that applied diff as a guide for patching 2.1 yourself - either through applying the patch directly (modulo any 2.1/edge differences), or by reopening those classes from your own code post-environment-loading to apply the changes.

    tomtaylor : I guess that's the only way. Thanks!
  • I have written a monkey patch to add this support to Rails 2.1, from the patch for Rails 2.2.

    I've not tested on anything other than Rails 2.1, and your mileage may vary!

    From tomtaylor

0 comments:

Post a Comment