-
Notifications
You must be signed in to change notification settings - Fork 21.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
default cookies to httpOnly #1449
Comments
Let's hear feedback from @josh? As long as this cookie would work on both |
the main point is that setting cookies to httponly, they can't be read by javascript (so we have a better protection against session hijacking).
btw, I said that it is 'kind of' backwards incompatible because the only thing I can image that could break is if someone is reading cookies with javascript intentionally in his app. |
The session is already httponly. So is there a strong reason to set all cookies httponly? |
I think that the question should be "why not?". |
Backwards incompat. |
Now that Rails 4 is on the horizon, and backwards incompatibilities can be expected, is this something that should be reconsidered? |
Rails 4 is a backwards-compatible (as much as possible) release, and feature requests don't belong on the issues tracker anyway. |
Seems like there should be a way to tell Rails to make all cookies httponly by default, right? Instead of having to remember to set the httponly flag each time you save a cookie. |
@joevandyk : Please talk about feature requests on the mailing list. It looks like there is still a topic about your proposal ; unfortunately, it hasn't been commented yet. |
Maybe we can get @xuchu to think about this one for his gsoc project |
@chancancode I can work on it when building the expiring signed cookie jar. |
For security reasons(session hijacking, for example), I think that it could be a good idea to default cookies to httpOnly: https://www.owasp.org/index.php/HttpOnly
(any reason for not doing that - apart of being 'kind of' backwards incompatible?)
related:
https://github.com/rails/rails/blob/master/actionpack/lib/action_dispatch/http/response.rb#L136
https://github.com/rails/rails/blob/master/actionpack/lib/action_dispatch/middleware/cookies.rb#L220
rack/rack#184
The text was updated successfully, but these errors were encountered: