Set a "secure" flag in session cookies in RoR even through HTTP

Question

Set a "secure" flag in session cookies in RoR even through HTTP

In the Rails application, you can easily set the secure cookie attribute in the session cookie when sending via HTTPS to ensure that the cookie has not leaked through a non-HTTP connection.

However, if the Rails application does NOT use HTTPS, but only HTTP, it does not seem to set a cookie at all.
Although this makes sense, in this case there is a separate front-end load balancer that is responsible for terminating the SSL connection. From an LB application to Rails, the connection is only HTTP.

How can I get the Rails app to set cookie secure even if I don’t use HTTPS?

+8

security ruby-on-rails session-cookies

Avid Jan 24 '13 at 9:51

source share

1 answer

pduey · Accepted Answer · 2013-02-21T13:49:09+0000

Secure cookies by default are not sent over insecure connections.

Upstream SSL termination is pretty common, but you need to pass certain header fields so that Rails knows and can do the right thing.

Here is a document that explains the configuration pretty well for nginx. Search for “Set Headers” to go to the section that describes the specific headers you need to go through.

There are security considerations using this configuration, for example, if the device terminating SSL is not in the same secure LAN as the Rails host, then you have a vulnerability.

Set a "secure" flag in session cookies in RoR even through HTTP

More articles: