Hi, currently Rails apps will have something like this by default in the
initializers:
Rails.application.config.session_store :cookie_store, key: '_my_app_session'
This will not set the "secure" flag in the _my_app_session cookie. It
can be set by providing the {secure: true} option to session_store, but
this happens at boot time rather than at request time. This has two
problems in my opinion:
1 - Rails isn't safe by default (to the extent of an secure cookie);
2 - It's not possible to serve the same application over different
domains when one of them is served over HTTPS and other over HTTP
(unless insecure cookies are used for both); this could be useful for
some multi-tenant applications that will customize any views or behavior
based on the request's domain, while some clients are willing to use a
certificate while others are not (maybe managing free Let's Encrypt
certificates would not be desired and not all clients are willing to pay
for the certificates).
To fix the second case, Rails could introduce a {secure: :if_ssl} or
{conditionally_secure: true} option to allow the secure flag to be set
if request.ssl? is true. The first case would be fixed making this
option the default one.
What do you think?
Best,
Rodrigo.
--
You received this message because you are subscribed to the Google Groups "Ruby on
Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/d/optout.
