Re: [Rails-core] Re: HttpOnly cookies by default

2014-05-18 Thread Rodrigo Rosenfeld Rosas
I don't think you can use Rails sessions without cookies support... Em 17/05/2014 10:12, "Gabriel Sobrinho" escreveu: > I would argue that if you have some information that can't be hijacked and > even parsed on javascript (httponly cookies can't be read on javascript at > all), why would you use

[Rails-core] Re: HttpOnly cookies by default

2014-05-17 Thread Gabriel Sobrinho
I would argue that if you have some information that can't be hijacked and even parsed on javascript (httponly cookies can't be read on javascript at all), why would you use cookies instead of the rails session? On Friday, May 16, 2014 7:07:42 PM UTC-3, fedesoria wrote: > > I would like to see t

[Rails-core] Re: HttpOnly cookies by default

2014-05-16 Thread fedesoria
I would like to see this happen, since when dealing with Enterprise Vulnerability Scans it always comes up. On Monday, January 7, 2013 2:09:42 PM UTC-8, Stephen Touset wrote: > > Earlier, someone proposed on the GH issues tracker that Rails default all > cookies to HttpOnly[1]. Rails already mak