Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Set "secure" flag on session cookie in RoR even over HTTP

In a Rails app, the session cookie can be easily set to include the secure cookie attribute, when sending over HTTPS to ensure that the cookie is not leaked over a non-HTTP connection.

However, if the Rails app is NOT using HTTPS, but HTTP only, it seems that it doesnt even set the cookie at all.
While this does make some sense, in this scenario there is a seperate front end load balancer, which is responsible for terminating the SSL connection. From the LB to the Rails app, the connection is HTTP only.

How can I force the Rails app to set a secure cookie, even when not using HTTPS?

like image 565
AviD Avatar asked Jan 24 '13 09:01

AviD


1 Answers

Secure cookies are not sent over non-secure connections by definition.

Terminating SSL upstream is quite common, but you need to pass certain header fields through so that Rails knows and can do the right thing.

Here's a document that explains the configuration in pretty good detail for nginx. Search for "Set headers" to jump to the section describing the specific headers you need to pass through.

There are security considerations using this configuration, e.g., if the device terminating SSL is not on the same secure LAN as the Rails host, then you have a vulnerability.

like image 141
pduey Avatar answered Sep 29 '22 13:09

pduey