How to make rack session cookies httponly? - McMap

About

How to make rack session cookies httponly?

Asked 10/9, 2012 at 0:20 Answered 21/9, 2012 at 0:18

Solved ruby session sinatra rack httponly

U

1

5

I am using Ruby and Sinatra to develop an application.
I use

enable :sessions

in order to use the session variable provided by rack. How can I make all of the session cookies be HTTPOnly? Is it like this by default? I can't find any documentation on this.

Upraise answered 10/9, 2012 at 0:20 Comment(0)

S

8

Instead of enable :sessions:

use Rack::Session::Cookie, {:httponly => true }

I'd suggest using the encrypted_cookie gem instead, it's far more secure. As an example, here's what I'll probably have for a project:

# app/main.rb
module Example
  class App < Sinatra::Base # this class in its own file
    # stuff here
  end
end

# app/config.rb
require "main"
module Example
  def self.app #
    Rack::Builder.app do
      cookie_settings = {        
        :key          => 'usr',
        :path         => "/",
        :expire_after => 86400,             # In seconds, 1 day.
        :secret       => ENV["COOKIE_KEY"], # load this into the environment of the server
        :httponly     => true
      }
      cookie_settings.merge!( :secure => true ) if ENV["RACK_ENV"] == "production"

      # AES encryption of cookies
      use Rack::Session::EncryptedCookie, cookie_settings

      # other stuff here

      run App
    end
  end
end

# config.ru
require "app/config"
run Example.app  # this in the rackup file

(To clarify why I've laid it out this way - this kind of stucture allows me to split the app up and use it easier in tests by just requiring the app/config.rb. YMMV)

Selfexamination answered 21/9, 2012 at 0:18 Comment(6)

Very nice. My application's flow is a lot simpler. Can I just use that Rack::Builder.app statement in my config.ru file, instead of enable :sessions ? Also, I use a session secret by writing set :session_secret, ENV['SESSION_KEY'] || "development_secret". Can I do this the same way with the rack session cookie? – Upraise 22/9, 2012 at 22:23

Yes, don't use enable sessions as well as this, just the Builder. You can also do the || trick, but because the env vars tend to increase over time (as they're so useful) I put the rackup command in a rake task that has a prerequisite task that sets up all the env vars with development values. – Selfexamination 23/9, 2012 at 12:7

Does Rack::Session::EncryptedCookie really provide :httponly option? – Drub 5/12, 2016 at 20:57

@JianWeihang No it doesn't, thanks for pointing it out. I've corrected the post. – Selfexamination 5/12, 2016 at 21:44

@JianWeihang Okay, I was hasty. Encrypted Cookie doesn't, but it relies on Rack's session code which does implement HttpOnly. It's in their specs here for v1.65 and here for version v2.x. – Selfexamination 5/12, 2016 at 21:55

@iain Thank you, after digging the source code, I found Encrypted::Cookie uses Rack::Utils.set_cookie_header!. – Drub 6/12, 2016 at 7:28

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.