Geek Answers Handbook

Secure session cookies for rails app

I have the following configuration in my session_store.rb

Fuel::Application.config.session_store :cookie_store, :key => "_secure_session", :secure => !(Rails.env.development? || Rails.env.test?), :domain => :all

In application_controller.rb

 def default_url_options return { :only_path => false, :port => 443, :protocol => 'https' } end

I am using devise and my rails3 server is running behind HAProxy. HAProxy terminates HTTPS traffic and sends HTTP Rails requests. My problem is when I enable: secure => true in session_store.rb, the user is redirected back to the login page with the message "Unauthorized". I tried debugging it a lot, not sure how to make it work.

This is a situation where HAProxy is a reverse proxy server that terminates all protected traffic and sends unprotected traffic to the rails. When the rails set a cookie for protection, somehow he himself cannot access it.

+4
source share
2 answers

For your regular session cookie, you are doing it right. You should see that the cookie '_secure_session' is correctly set to be secure in your browser. For the Remember Me cookie, you must set this in the configuration configuration. In config / initializers / devise.rb you will find a line somewhere around line 133, which looks like

 # Options to be passed to the created cookie. For instance, you can set # :secure => true in order to force SSL only cookies. # config.cookie_options = {}

I changed this to:

 config.rememberable_options = {:secure => Rails.env.production?}
+7
source

If the Set-cookie is not sent to the browser during the initial authentication, this sounds like a development issue.

If a Set-cookie is sent to the browser but not sent back to the following https: // request, then this is probably a mismatch: secure =>.

If the cookie is sent by the browser but not transmitted by HAProxy, then this is a HAProxy configuration problem.

If the cookie is in the ruby โ€‹โ€‹environment and is ignored due to policy, then this is a problem somewhere in the Ruby code - when guessing around a safe / insecure cookie.

+1
source

More articles:


All Articles