How do I set the session cookie's HttpOnly setting to false?

Question

In Ruby on Rails, how do I set the session cookie's httpOnly setting to false?

PSA: **don't do this in production**. The `httponly` flag is there for security. It might sound like it means "not https", but it actually means "not available to JavaScript". `httponly` is compatible with the `secure` flag, which means "only send over https connections". See https://www.owasp.org/index.php/HttpOnly — Nathan Long, May 10 '17 at 19:06

score 10 · Answer 1 · edited Nov 27 '20 at 09:17

10

In Rails 4, you need to edit config/initializers/session_store.rb

Rails.application.config.session_store(
  :cookie_store,
  key: '_socializus_session',
  httponly: false,
)

edited Nov 27 '20 at 09:17

Dorian

7,749
4
38
57

answered Jul 12 '13 at 08:07

troelskn

115,121
27
131
155

3

Reasonable question, CodeDave. You pass the key `:httponly` with the value `false`. (As per the other answers here - it's just that the location of the code to edit has changed from `environment.rb` to an initializer) – troelskn May 05 '14 at 08:34

score 7 · Accepted Answer · edited Nov 27 '20 at 06:25

7

I figured this out. In /config/environment.rb include this code:

  config.action_controller.session = {
    :httponly => false
  }

edited Nov 27 '20 at 06:25

Dorian

7,749
4
38
57

answered Apr 21 '10 at 03:52

kingjeffrey

14,894
6
42
47

For what version of rails was this? I'm trying in rails 3, and get the following error: undefined method `session=' for ActionController::Base:Class – Peter Ehrlich Dec 02 '11 at 04:12
@Peter This was written before RoR 3 for version 2.3. It has not been tested with 3. – kingjeffrey Dec 03 '11 at 04:53
I made a workaround, here: http://stackoverflow.com/questions/8351871/session-cookie-httponly-false-rails-3-1/8371839#8371839 – Peter Ehrlich Dec 04 '11 at 19:44

score 7 · Answer 3 · answered Dec 28 '11 at 17:11

7

This is how i did it with Rails 3:

Testapp::Application.config.session_store :cookie_store, key: '_testapp_session', :domain => :all, :httponly => false

answered Dec 28 '11 at 17:11

sailor

7,834
3
26
34

ilgam · Answer 4 · 2016-11-08T08:41:36.190

Rails has it set by default to true. I don't recommend to change it because it will set you cookies accessable for changing from JS like: document.cookie

In Rails 3+ you can change your cookies configuration from config/initializers/session_store.rb:

# Be sure to restart your server when you modify this file.
Rails.application.config.session_store :cookie_store, key: "_my_application_session", httponly: false

How do I set the session cookie's HttpOnly setting to false?

4 Answers4