How do I set HttpOnly on a session cookie in Rails 2.1?
https://stackoverflow.com/questions/153461
-
03-07-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I notice that Rails 2.2 (currently edge) supports setting HttpOnly on the session cookie.
Is there a way of setting it on a Rails 2.1 application without moving to edge/2.2?
Solution 2
I have written a monkey patch to add this support to Rails 2.1, from the patch for Rails 2.2.
I've not tested on anything other than Rails 2.1, and your mileage may vary!
OTHER TIPS
Well it isn't supported, as you note, but you can of course monkey-patch Rails to do what you want. Actually, the difference between directly patching your Rails v. monkey-patching in this case is very little, as either would be removed/reverted when you upgrade to 2.2.
In both cases you would look at that applied diff as a guide for patching 2.1 yourself - either through applying the patch directly (modulo any 2.1/edge differences), or by reopening those classes from your own code post-environment-loading to apply the changes.
Set the http_only option to true in the cookie's options hash:
cookies['visits'] = { :value => '20', :http_only => true }
