I’ve had to resort to some pretty weird cookie stuff when passing data between a Rails app and non-Rails applications. The session is handy, but parsing it anywhere but in Rails is difficult and *updating* it outside of Rails is more difficult.
—Matt Jones On May 17, 2014, at 9:12 AM, Gabriel Sobrinho <gabriel.sobri...@gmail.com> wrote: > I would argue that if you have some information that can't be hijacked and > even parsed on javascript (httponly cookies can't be read on javascript at > all), why would you use cookies instead of the rails session? > > On Friday, May 16, 2014 7:07:42 PM UTC-3, fedesoria wrote: > I would like to see this happen, since when dealing with Enterprise > Vulnerability Scans it always comes up. > > On Monday, January 7, 2013 2:09:42 PM UTC-8, Stephen Touset wrote: > Earlier, someone proposed on the GH issues tracker that Rails default all > cookies to HttpOnly[1]. Rails already makes the session cookie HttpOnly, but > given a general to keep Rails secure-by-default, it would probably be best if > *all* cookies defaulted to HttpOnly. This would be a compatibility-breaking > change, but it wouldn't be difficult to add a configuration option that can > be defaulted to false for existing Rails apps that are upgraded. > > I'm more than happy to write the code for this change, but wanted to discuss > it here first to see if anyone objects strongly. Josh Peek had concerns with > backwards compatibility, but I think my proposal above for a configuration > option should satisfy them. Anyone care to weigh in? > > [1] https://github.com/rails/rails/issues/1449 > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Core" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to rubyonrails-core+unsubscr...@googlegroups.com. > To post to this group, send email to rubyonrails-core@googlegroups.com. > Visit this group at http://groups.google.com/group/rubyonrails-core. > For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: Message signed with OpenPGP using GPGMail
