How do I get Devise's Rememberable module to use http_only for the remember me cookie?

Question

The rails session cookie is HttpOnly by default but the remember_user_token cookie set by Devise's Rememberable module is not.

As I understand it that cookie when sent will result in the user being issued a new session cookie, so surely it's as vulnerable to XSS.

So is there any way to set it to HttpOnly?

Answer 1

With the help of @camonz on #rubyonrails I came up with this monkey patch: https://gist.github.com/749289

In Devise 1.1.3 the cookie options are hardcoded so a monkey patch is all I could think would work.

However, Devise 1.2rc looks like it will allow configuration because it pulls in resource.cookie_options (e.g. pulling cookie_options from the User model, so you should be able to set it there somehow - haven't figured that out yet).

P.S. I haven't figured out how to test this yet. To test manually in Chrome switch to the tab the cookie is set in, open Developer Tools with Alt + Cmd + I, switch to the Storage tab, click the item under 'Cookies' (localhost in my case), and look at the HTTP column. There'll be a tick if the cookie is HttpOnly. For reference the rails session cookie, called _session_id by default, is HttpOnly by default.