18

In Ruby on Rails, how do I set the session cookie's httpOnly setting to false?

kingjeffrey
  • 13,546
  • 6
  • 39
  • 47
  • 2
    PSA: **don't do this in production**. The `httponly` flag is there for security. It might sound like it means "not https", but it actually means "not available to JavaScript". `httponly` is compatible with the `secure` flag, which means "only send over https connections". See https://www.owasp.org/index.php/HttpOnly – Nathan Long May 10 '17 at 19:06

4 Answers4

10

In Rails 4, you need to edit config/initializers/session_store.rb

Rails.application.config.session_store(
  :cookie_store,
  key: '_socializus_session',
  httponly: false,
)
Dorian
  • 1,551
  • 8
  • 23
troelskn
  • 107,146
  • 23
  • 127
  • 148
  • 3
    Reasonable question, CodeDave. You pass the key `:httponly` with the value `false`. (As per the other answers here - it's just that the location of the code to edit has changed from `environment.rb` to an initializer) – troelskn May 05 '14 at 08:34
7

I figured this out. In /config/environment.rb include this code:

  config.action_controller.session = {
    :httponly => false
  }
Dorian
  • 1,551
  • 8
  • 23
kingjeffrey
  • 13,546
  • 6
  • 39
  • 47
  • For what version of rails was this? I'm trying in rails 3, and get the following error: undefined method `session=' for ActionController::Base:Class – Peter Ehrlich Dec 02 '11 at 04:12
  • @Peter This was written before RoR 3 for version 2.3. It has not been tested with 3. – kingjeffrey Dec 03 '11 at 04:53
  • I made a workaround, here: http://stackoverflow.com/questions/8351871/session-cookie-httponly-false-rails-3-1/8371839#8371839 – Peter Ehrlich Dec 04 '11 at 19:44
7

This is how i did it with Rails 3:

Testapp::Application.config.session_store :cookie_store, key: '_testapp_session', :domain => :all, :httponly => false
sailor
  • 7,218
  • 3
  • 22
  • 33
1

Rails has it set by default to true. I don't recommend to change it because it will set you cookies accessable for changing from JS like: document.cookie

In Rails 3+ you can change your cookies configuration from config/initializers/session_store.rb:

# Be sure to restart your server when you modify this file.
Rails.application.config.session_store :cookie_store, key: "_my_application_session", httponly: false
ilgam
  • 3,186
  • 1
  • 28
  • 25