Menu
I'm setting a cookie in the browser like so:
def set_browser_cookie
cookies.permanent[:ignore_stats_cookie] = {
:value => STAT_COOKIE,
:domain => :all,
:secure => false,
:httponly => false
}
redirect_to settings_path
end
When I look at the cookie in Chrome in DEVELOPMENT, the cookie allows for any kind of connection.
When I look at the cookie in Chrome in PRODUCTION, the cookie is only allowing secure connections (the app itself is https).
I'm setting the cookie to :secure => false, so why is the cookie being set for secure connections only in production?
544
I'm having the same issue, and was able to reproduce on my development machine using the tunnels gem as a proxy, and setting force_ssl = true in 'development' environment.
I've debugged Rack and ActionPack, and found that the header is being sent without ; secure at the end, but it is modified after that.
My next step would be to use Wireshark to capture the SSL session and decrypt it, but I've run out of time.
I tested using a PHP app hosted behind nginx, and while using HTTPS, the server was able to send cookies that did not include the secure flag. So this issue is definitely specific to the stack that we're using with Rails, not a browser issue.
120
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
