开发者

How do I get Devise's Rememberable module to use http_only for the remember me cookie?

The rails session cookie is HttpOnly by default but the remember_user_token cookie set by Devise's Rememberable module is not.

As I understand it that cookie when sent will result in the user being issued a new session cookie, so surely it's as vulnerable to XSS.

开发者_Python百科

So is there any way to set it to HttpOnly?


With the help of @camonz on #rubyonrails I came up with this monkey patch: https://gist.github.com/749289

In Devise 1.1.3 the cookie options are hardcoded so a monkey patch is all I could think would work.

However, Devise 1.2rc looks like it will allow configuration because it pulls in resource.cookie_options (e.g. pulling cookie_options from the User model, so you should be able to set it there somehow - haven't figured that out yet).

P.S. I haven't figured out how to test this yet. To test manually in Chrome switch to the tab the cookie is set in, open Developer Tools with Alt + Cmd + I, switch to the Storage tab, click the item under 'Cookies' (localhost in my case), and look at the HTTP column. There'll be a tick if the cookie is HttpOnly. For reference the rails session cookie, called _session_id by default, is HttpOnly by default.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜