1

Below is my code in session_store.rb

Rails.application.config.session_store :active_record_store , key: '_test_key', secure: :true

Browser receiving below response headers when requests rails application with above configuration:

Cache-Control:no-cache Content-Type:text/html; charset=utf-8 Date:Fri, 10 Aug 2018 10:46:51 GMT Location:https://xxxxx-xxxx.com/home Server:nginx/1.12.2 + Phusion Passenger 5.2.3 Status:302 Found Transfer-Encoding:chunked X-Content-Type-Options:nosniff X-Frame-Options:SAMEORIGIN X-Powered-By:Phusion Passenger 5.2.3 X-Request-Id:xxxxxxxxxxxe5-7f1a2bb20b23 X-Runtime:1.191833 X-XSS-Protection:1; mode=block

Issue is "Set-Cookie" header is missing in response which will be sent to the application in the next request to validate as it is 302 status code.

when I remove "secure" from configuration as below "cookie" is sent 

Rails.application.config.session_store :active_record_store , key: '_test_key'

And response is:

Cache-Control:no-cache Content-Type:text/html; charset=utf-8 Date:Fri, 10 Aug 2018 10:38:05 GMT Location:https://xxxxxx-wspbx.com/home Server:nginx/1.12.2 + Phusion Passenger 5.2.3 SetCookie-:_test_key=06b1bd1397fa64af1eb9c9ed4d2e0b0b; path=/; HttpOnly Status:302 Found Transfer-Encoding:chunked X-Content-Type-Options:nosniff X-Frame-Options:SAMEORIGIN X-Powered-By:Phusion Passenger 5.2.3 X-Request-Id:xxxxxxxxxxxxxxxxx7-58e1baab7dc8 X-Runtime:1.207210 X-XSS-Protection:1; mode=block

what makes the "Set-Cookie" not to be sent to browser when "secure" option is provided for session_store.?

Improve this question

2 Answers 2

Reset to default
3

You've probably figured it out by now but just in case, the secure: true will only allow the cookie to be sent trough an encrypted HTTPS (SSL/TLS) connection which you most likely don't have locally.

You could do something like:

Rails.application.config.session_store :active_record_store , key: '_test_key', secure: !(Rails.env.development? || Rails.env.test?)

And it will work as long as production is using ssl, you might need to add: config.force_ssl = true to your production.rb

https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Session_Management_Cheat_Sheet.md#secure-attribute

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

I solved it by this monkey patch, instead of specifying the secure: :true :

require 'rack/utils' module Rack module Utils def self.set_cookie_header!(header, key, value) case value when Hash domain = "; domain=" + value[:domain] if value[:domain] path = "; path=" + value[:path] if value[:path] max_age = "; max-age=" + value[:max_age] if value[:max_age] expires = "; expires=" + rfc2822(value[:expires].clone.gmtime) if value[:expires] # Make always secure # secure = "; secure" if value[:secure] secure = "; secure" httponly = "; HttpOnly" if value[:httponly] same_site = case value[:same_site] when false, nil nil when :none, 'None', :None '; SameSite=None' when :lax, 'Lax', :Lax '; SameSite=Lax' when true, :strict, 'Strict', :Strict '; SameSite=Strict' else raise ArgumentError, "Invalid SameSite value: #{value[:same_site].inspect}" end value = value[:value] end value = [value] unless Array === value cookie = escape(key) + "=" + value.map { |v| escape v }.join("&") + "#{domain}#{path}#{max_age}#{expires}#{secure}#{httponly}#{same_site}" case header["Set-Cookie"] when nil, '' header["Set-Cookie"] = cookie when String header["Set-Cookie"] = [header["Set-Cookie"], cookie].join("\n") when Array header["Set-Cookie"] = (header["Set-Cookie"] + [cookie]).join("\n") end nil end end end
Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.