Force Rails cookie to send to any type of connection (secure / insecure)

Question

Force Rails cookie to send to any type of connection (secure / insecure)

I set the cookie in the browser like this:

def set_browser_cookie cookies.permanent[:ignore_stats_cookie] = { :value => STAT_COOKIE, :domain => :all, :secure => false, :httponly => false } redirect_to settings_path end

When I look at a cookie in Chrome in DEVELOPMENT, a cookie allows you to use any connection.

localhost

When I view a cookie in Chrome in PRODUCTS, the cookie only allows secure connections (the app itself is https).

production

I set the cookie to :secure => false, so why is the cookie set for secure connections only during production?

+4

ruby-on-rails cookies ruby-on-rails-3

jwilsco Oct 16 '12 at 15:27

source share

1 answer

Robin daugherty · Answer 1 · 2013-09-26T16:39:34+0000

I have the same problem and I was able to reproduce on my development machine using the tunnels stone as a proxy and set force_ssl = true to the development environment.

I debugged Rack and ActionPack and found that the header was sent without ; secure ; secure at the end, but after that it changes.

The next step is to use Wireshark to capture the SSL session and decrypt it, but I ran out of time.

I tested using a PHP application hosted by nginx, and using HTTPS, the server was able to send cookies that did not enable the secure flag. So this problem is definitely specific to the stack we are using with Rails, not the browser problem.

Force Rails cookie to send to any type of connection (secure / insecure)

More articles: