How do I set the session cookie's HttpOnly setting to false?
-
30-09-2019 - |
Question
In Ruby on Rails, how do I set the session cookie's httpOnly setting to false?
Solution 2
I figured this out. In /config/environment.rb
include this code:
config.action_controller.session = {
:httponly => false
}
OTHER TIPS
In Rails 4, you need to edit config/initializers/session_store.rb
Rails.application.config.session_store :cookie_store,
key: '_my_app_session', httponly: false
This is how i did it with Rails 3:
Testapp::Application.config.session_store :cookie_store, key: '_testapp_session', :domain => :all, :httponly => false
Rails has it set by default to true.
I don't recommend to change it because it will set you cookies accessable for changing from JS like: document.cookie
In Rails 3+ you can change your cookies configuration from config/initializers/session_store.rb
:
# Be sure to restart your server when you modify this file.
Rails.application.config.session_store :cookie_store, key: "_my_application_session", httponly: false
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow