Does not set session cookie as secure #91

vipulvkp · 2016-11-02T15:58:39Z

Hi
Below are the things I did:

Installed rack-ssl-enforcer gem
In config/environment.rb (I have a Rails 2.3.2 app) added below two lines:
require 'rack/ssl-enforcer'
config.middleware.use Rack::SslEnforcer
Configured my web server(i.e. Apache) to send HSTS response header.

But still my session_id is not set as secure as verified in chrome developer console.

tobmatth · 2016-11-02T19:12:29Z

You need to enable HSTS:

config.middleware.insert_before  ActionDispatch::Cookies, Rack::SslEnforcer, hsts: true

vipulvkp · 2016-11-03T06:56:52Z

Hi
I think I found the issue.
Instead of config.middleware.insert_before ActionDispatch::Cookies, Rack::SslEnforcer, :hsts=>true

I added the below:

config.middleware.insert_before ActionController::Session::CookieStore, Rack::SslEnforcer, :hsts => true

I have a Rails 2 application. If I use the above (ActionDispatch), code crashes saying "Could not find ActionDispatch)

tobmatth · 2016-11-03T06:59:05Z

Guess you are right, have to inspect the Middleware stack für Rails 2.x applications. Thanks for getting back, i'm closing here...

vipulvkp · 2016-11-03T07:06:21Z

Hey,

Can we change the path of the cookie using this gem?

Regards,
Vipul

tobmatth · 2016-11-03T07:13:00Z

What would be the Use-Case for this?

vipulvkp · 2016-11-03T08:02:59Z

If the path is set to the root directory ""/“, an attacker can access other cookies of the sub domain which are available under the parent domain.

It is recommended to set the value of the “path” attribute to the actual virtual directory path of the application.

I

tobmatth closed this as completed Nov 3, 2016

Provide feedback