I'm way behind the times.
I've finally got the go ahead from corporate to start an upgrade of
our ROR application from 1.2.6.
I'm first upgrading to Rails 2.2.3 which has not been too bad but I
have a question around http_only and secure session cookie using
:active_record_store.
I understand that :session_http_only by default is set to TRUE but it
appears to be ignored while :session_secure is FALSE.
I'm using this at the bottom of environment.rb to turn on the secure
flag.
ActionController::Base.session_options[:session_secure] = true
When secure is turned off (FALSE) I CAN access the session cookie via
javascript in the browser.
When secure is turned on (TRUE) I CANNOT access the session cookie via
javascript.
This does not apply to other cookies - just the session cookie.
<P>Was this a known issue?
--
Posted via http://www.ruby-forum.com/.
--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/62d3686c49062de13e9393e71cc7fa66%40ruby-forum.com.
For more options, visit https://groups.google.com/d/optout.
No comments:
Post a Comment