Ruby on Rails Tuesday, December 30, 2014

I'm way behind the times.

I've finally got the go ahead from corporate to start an upgrade of
our ROR application from 1.2.6.

I'm first upgrading to Rails 2.2.3 which has not been too bad but I
have a question around http_only and secure session cookie using

I understand that :session_http_only by default is set to TRUE but it
appears to be ignored while :session_secure is FALSE.

I'm using this at the bottom of environment.rb to turn on the secure
ActionController::Base.session_options[:session_secure] = true

When secure is turned off (FALSE) I CAN access the session cookie via
javascript in the browser.
When secure is turned on (TRUE) I CANNOT access the session cookie via

This does not apply to other cookies - just the session cookie.

<P>Was this a known issue?

Posted via

You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To post to this group, send email to
To view this discussion on the web visit
For more options, visit

No comments:

Post a Comment