New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Devise secure cookie seems not to work #3433

Closed
equivalent opened this Issue Jan 19, 2015 · 8 comments

Comments

Projects
None yet
2 participants
@equivalent
Copy link

equivalent commented Jan 19, 2015

Hi

I was trying to set

# config/initializers/devise.rb
 config.rememberable_options = { secure: true  }

so that my session cookie has the "secure flag" on it. But when I'm inspecting my cookies they are Secure = ""

Firebug:

firebug

Web-developer toolbar firefox

web-developer

Gems:

  • devise (3.4.1)
  • devise_invitable (1.4.0)
  • rails (3.2.20)
  • unicorn (4.6.2)
@equivalent

This comment has been minimized.

Copy link
Author

equivalent commented Jan 19, 2015

this is on production server that has preper SSL certificate, uses, Unicorn was restarted (stop, wait, start) several times to make sure if that issue isn't just old workers picking up old config.

@josevalim

This comment has been minimized.

Copy link
Member

josevalim commented Jan 19, 2015

Weird. We are definitely merging this in here:

Devise::Controllers::Rememberable.cookie_values.merge!(resource.rememberable_options)

Can you please investigate if there would be a reason that is not triggering?

@equivalent

This comment has been minimized.

Copy link
Author

equivalent commented Jan 19, 2015

Thank you for reply

Devise.rememberable_options
# => {:secure=>true}
Devise::Controllers::Rememberable.cookie_values
# => {}

I tried to EDITOR=vim bundle open devise and look at ./lib/devise/controlllers/remmemberable.rb
and I definitely have that piece of code there

I'm going to try to upgrade ruby version as the server is still running ruby 2.0.0p247, will see what happen.

@equivalent

This comment has been minimized.

Copy link
Author

equivalent commented Jan 19, 2015

Ok done some debugging and now I'm more confused.

So first problem was that I was not using :rememberable module. I thought that the Devise.rememberable_options is overal session configuration. But still when I use the module and create required database column the resoult is the same:

Given user signs in
Then forget_cookie_values is not triggered

Given user signs_out
Then forget_cookie_values is triggered with debuggning bellow

    29: def forget_cookie_values(resource)
    30:   Devise::Controllers::Rememberable.cookie_values.merge!(resource.rememberable_options)
 => 31:   binding.pry
    32: end
[1] pry(#<Devise::Hooks::Proxy>)> Devise::Controllers::Rememberable.cookie_values 
#=> {}

This happens on this Rails 3 project or Ruby 2.0.0 (tested development, stanging and production), and also on one other Rails 4 project on ruby 2.1.2 (tested development)

But I don't care that much about "rememberable" cookie even if it apperently looks like it's not working , I'm curious more on the unsecure "_session_id" cookie created when user signs in as demonstrated in my screenshots. (I know that this isn't stack overflow but I have to ask this) Is there way how I can tell devise to create "secure" session sign_in cookie ? Am I missing something ?

@josevalim

This comment has been minimized.

Copy link
Member

josevalim commented Jan 19, 2015

There is one option you can set in Rails, which is config.force_ssl = true (iirc) that will properly set secure and redirect all non secure access. Otherwise, there is an initializer config/initializers that configures the session and you can set secure: true in there.

@josevalim

This comment has been minimized.

Copy link
Member

josevalim commented Jan 19, 2015

The rememberable options were supposed to work though. I believe they are not working in your case because you haven't checked the remember_me box to true in the first place. Or have you? :)

@equivalent

This comment has been minimized.

Copy link
Author

equivalent commented Jan 20, 2015

Aawww ! ok I yes you right Jose I didn't check the remmemberable option (stupid me) :)

I was using the froce_ssl in enviroment config before, but because my app is rendering some parts of application as public accessable non-https I was forced to move it to controller => seems that it's not affecting session_id cookie to be secure. Anyway going to play around on the Rails side with this :) . As this is no longer Devise problem or concern I'm going to close this issue.

But the point I was trying to make about the secure session cookie seems to be covered by gem devise_ssl_session_verifiable (I'm still testing it not sure if it works) Basically they set one extra cookie that is secure and even if sesion_id cookie is non-secure, the server needs both for letting user in => non-https conection will not work.

Thank you for help :)

@josevalim josevalim closed this Jan 20, 2015

@equivalent

This comment has been minimized.

Copy link
Author

equivalent commented May 9, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment