Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cookie not set when secure option is given in session_store. #132

Open
khajabhanu opened this issue Aug 10, 2018 · 4 comments
Open

Cookie not set when secure option is given in session_store. #132

khajabhanu opened this issue Aug 10, 2018 · 4 comments

Comments

@khajabhanu
Copy link

Below is my code in session_store.rb

Rails.application.config.session_store :active_record_store , key: '_test_key', secure: :true

Browser receiving below response headers when requests rails application with above configuration:

Cache-Control:no-cache
Content-Type:text/html; charset=utf-8
Date:Fri, 10 Aug 2018 10:46:51 GMT
Location:https://xxxxx-xxxx.com/home
Server:nginx/1.12.2 + Phusion Passenger 5.2.3
Status:302 Found
Transfer-Encoding:chunked
X-Content-Type-Options:nosniff
X-Frame-Options:SAMEORIGIN
X-Powered-By:Phusion Passenger 5.2.3
X-Request-Id:xxxxxxxxxxxe5-7f1a2bb20b23
X-Runtime:1.191833
X-XSS-Protection:1; mode=block

Issue is "Set-Cookie" header is missing in response which will be sent to the application in the next request to validate as it is 302 status code.

when I remove "secure" from configuration as below "cookie" is sent

Rails.application.config.session_store :active_record_store , key: '_test_key'

And response is:

Cache-Control:no-cache
Content-Type:text/html; charset=utf-8
Date:Fri, 10 Aug 2018 10:38:05 GMT
Location:https://xxxxxx-wspbx.com/home
Server:nginx/1.12.2 + Phusion Passenger 5.2.3
Set-Cookie:_test_key=06b1bd1397fa64af1eb9c9ed4d2e0b0b; path=/; HttpOnly
Status:302 Found
Transfer-Encoding:chunked
X-Content-Type-Options:nosniff
X-Frame-Options:SAMEORIGIN
X-Powered-By:Phusion Passenger 5.2.3
X-Request-Id:xxxxxxxxxxxxxxxxx7-58e1baab7dc8
X-Runtime:1.207210
X-XSS-Protection:1; mode=block

Need to know what makes the "Set-Cookie" not to be sent to browser when "secure" option is provided for session_store.
@rafaelfranca
Copy link
Member

Please do investigate. Neither we know why this is happening.

@zelluv
Copy link

zelluv commented Jan 17, 2019

@khajabhanu any new findings on this? I'm experiencing the exact same problem. Appeared when I updated several gems.

@zelluv
Copy link

zelluv commented Jan 17, 2019

Oh, just realized that 'secure' option means that the session cookies will only be send over a HTTPS connection. So that's why it was missing from the response when doing HTTP request.

@ndvbd
Copy link

ndvbd commented Apr 2, 2020

Any solution here?
We want the rails to send the 'secure' for cookies, even when in http.
The reason - when using some service to convert http->https traffic (ngnix, cloudflare), you still want to have that property.
Who's blocking the 'secure' property in Rails, and how to unblock it?

@caseyjhol caseyjhol mentioned this issue Jul 9, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@rafaelfranca @ndvbd @zelluv @khajabhanu