I don't think you can use Rails sessions without cookies support... Em 17/05/2014 10:12, "Gabriel Sobrinho" <gabriel.sobri...@gmail.com> escreveu:
> I would argue that if you have some information that can't be hijacked and > even parsed on javascript (httponly cookies can't be read on javascript at > all), why would you use cookies instead of the rails session? > > On Friday, May 16, 2014 7:07:42 PM UTC-3, fedesoria wrote: >> >> I would like to see this happen, since when dealing with >> Enterprise Vulnerability Scans it always comes up. >> >> On Monday, January 7, 2013 2:09:42 PM UTC-8, Stephen Touset wrote: >>> >>> Earlier, someone proposed on the GH issues tracker that Rails default >>> all cookies to HttpOnly[1]. Rails already makes the session cookie >>> HttpOnly, but given a general to keep Rails secure-by-default, it would >>> probably be best if *all* cookies defaulted to HttpOnly. This would be a >>> compatibility-breaking change, but it wouldn't be difficult to add a >>> configuration option that can be defaulted to false for existing Rails apps >>> that are upgraded. >>> >>> I'm more than happy to write the code for this change, but wanted to >>> discuss it here first to see if anyone objects strongly. Josh Peek had >>> concerns with backwards compatibility, but I think my proposal above for a >>> configuration option should satisfy them. Anyone care to weigh in? >>> >>> [1] https://github.com/rails/rails/issues/1449 >>> >> -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Core" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to rubyonrails-core+unsubscr...@googlegroups.com. > To post to this group, send email to rubyonrails-core@googlegroups.com. > Visit this group at http://groups.google.com/group/rubyonrails-core. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-core+unsubscr...@googlegroups.com. To post to this group, send email to rubyonrails-core@googlegroups.com. Visit this group at http://groups.google.com/group/rubyonrails-core. For more options, visit https://groups.google.com/d/optout.
