Relationship between the Rails cookie object, the Cookie HTTP header, and document.cookie

Question

When I access document.cookie in Javascript, it spits out, say:

'user_credentials=5beea8874f2db9feb873828'

Basically, what appears to be some encoded information. Fine.

When I look at the headers, I do see that exact same string being set to user_credentials, but there's also another value being set for _myapplication_session=BAh7CiIQX. Unlike with user_credentials, this one includes capital letters and letters after F.

So:

• What is _myapplication_session? Is this related to the session object in Rails?
• Why doesn't _myapplication_session show up with Javascript document.cookie?

Answer 1

What is _myapplication_session? Is this related to the session object in Rails?

Yes, this is the way Rails identifies user sessions.

Why doesn't _myapplication_session show up with Javascript document.cookie?

I believe Rails sets httponly=>true on session cookies, which means they are (generally) not accessible using client-side scripts, as described in this SO thread.