How can I make cookies secure (https-only) by default in rails?

ruby-on-rails ssl cookies https ruby-on-rails-5
John Bachir picture John Bachir · Sep 22, 2010 · Viewed 23k times · Source

In a Rails controller, I can set a cookie like this:

cookies[:foo] = "bar"

And specify that the "secure" (https-only) flag be on like this:

cookies[:foo, :secure => true] = "bar"

:secure is false by default. How can I have cookies be secure by default, application-wide?

This is on Rails 2.3.8

Answer

David Cain picture David Cain · Jul 6, 2015

There's no need to monkeypatch ActionController/ActionDispatch, and force_ssl has side effects (e.g. when behind an ELB).

The most straightforward way to achieve secure cookies is to modify config/initializers/session_store.rb:

MyApp::Application.config.session_store :cookie_store, key: '_my_app_session',
                                                       secure: Rails.env.production?

Related questions

SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

I am using Authlogic-Connect for third party logins. After running appropriate migrations, Twitter/Google/yahoo logins seem to work fine but the facebook login throws exception: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed The …

Read More
bundle install fails with SSL certificate verification error

When I run bundle install for my Rails 3 project on Centos 5.5 it fails with an error: Gem::RemoteFetcher::FetchError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://bb-m.rubygems.org/gems/multi_json-1.3.2.gem) …

Read More
SSL Error When installing rubygems, Unable to pull data from 'https://rubygems.org/

I am trying to do the Michael Hartl tutorial. When I attempt to install rails 3.2.14 in my gemset, I get the following issue: $ gem install rails -v 3.2.14 ERROR: Could not find a valid gem 'rails' (= 3.2.14), here is why: Unable to …

Read More