How do I get Devise's Rememberable module to use http_only for the remember me cookie?
The rails session cookie is HttpOnly
by default but the remember_user_token
cookie set by Devise's Rememberable module is not.
As I understand it that cookie when sent will result in the user being issued a new session cookie, so surely it's as vulnerable to XSS.
开发者_Python百科So is there any way to set it to HttpOnly
?
With the help of @camonz on #rubyonrails I came up with this monkey patch: https://gist.github.com/749289
In Devise 1.1.3 the cookie options are hardcoded so a monkey patch is all I could think would work.
However, Devise 1.2rc looks like it will allow configuration because it pulls in resource.cookie_options
(e.g. pulling cookie_options from the User model, so you should be able to set it there somehow - haven't figured that out yet).
P.S. I haven't figured out how to test this yet. To test manually in Chrome switch to the tab the cookie is set in, open Developer Tools with Alt + Cmd + I, switch to the Storage tab, click the item under 'Cookies' (localhost in my case), and look at the HTTP column. There'll be a tick if the cookie is HttpOnly. For reference the rails session cookie, called _session_id
by default, is HttpOnly by default.
精彩评论