Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Devise - how does it set session cookies?

I have a scenario where I need to NOT set a session on HTTP, instead only setting it on HTTPS pages. The issue at the moment is that we are sharing the session string between HTTPS and HTTP.

I.e. if you visit our HTTP page, you are assigned a session string (unsecured). When you visit one of our HTTPS pages, it uses the same session string. They are shared across both. We don't want people to be able to snoop the session string across unencrypted connections.

Can someone point me to some reading, or doco around how I could achieve something like this? Even WHERE to look - I'm a bit stumped. Can't find much

like image 875
Dominic Bou-Samra Avatar asked Jun 24 '13 23:06

Dominic Bou-Samra


People also ask

How are session cookies generated?

They are created when your browser loads a particular website, and the site sends information to your browser which then creates a text file. Cookies can store a range of information, including personal data (such as name, home address, email address) and information about your preferred language or location etc.

How does devise session work?

Devise uses the session storage that Rails is configured to. So it depends on which session storage you will use in your app, not on Devise. If you want to store the session data in the database, then yes, you need to tell Rails about that and run the Rails generator that creates the database table for you.

Who creates session cookies?

The server in question is the one that hosts the website a user visits. The same server also creates a "session ID". The session ID is a unique, randomly generated number that stores the session cookies.

What is the purpose of session cookies?

The session cookie is a server-specific cookie that cannot be passed to any machine other than the one that generated the cookie. The session cookie allows the browser to re-identify itself to the single, unique server to which the client had previously authenticated.


1 Answers

rails session data is stored in cookies by default, it sounds like you want to use SSL only cookies ?

UPDATED: try adding secure: true in your config/initializers/session_store.rb file, i.e.

secure_option = (Rails.env.development? || Rails.env.test?) ? false : true
YourApp::Application.config.session_store :cookie_store, { key: '_xxxx_session', secure: secure_option }

Devise should use the rails setting when generating cookies


original answer

in your config/initializers/devise.rb file there should be a line that looks like this

 # :secure => true in order to force SSL only cookies.

try adding to config.rememberable_options and restarting rails - NOTE: in development mode that is not what you are going to want, you might be able to do

secure_option = (Rails.env.development? || Rails.env.test?) ? false : true
config.rememberable_options = { :secure => secure_option }

see also:

  • http://railscasts.com/episodes/356-dangers-of-session-hijacking
  • https://github.com/plataformatec/devise/wiki/How-To:-Use-SSL-(HTTPS)
like image 122
house9 Avatar answered Oct 19 '22 00:10

house9