Is this proposal dead? I would like to see this as well. It seems like a
default worth having, and an optional way to turn it off solves the
backwards compatibility problem.
On Tuesday, May 27, 2014 at 9:56:58 AM UTC-7, Stephen Touset wrote:
In that case, even that shared cookie should
In that case, even that shared cookie should likely be HttpOnly anyway.
I'm not quite following why anyone would really oppose such a change here —
Rails needs to maintain a strong secure-by-default stance, and every case where
developers have to opt-in to security is a case where many
I can't be sure but using cookies for that sounds the wrong solution for
me, you have better options like a shared database, a redis instance may
work.
You'll need to use a cookie to share a session identifier (I would use a
uuid) between the applications but reducing it to just one cookie may
I’ve had to resort to some pretty weird cookie stuff when passing data between
a Rails app and non-Rails applications. The session is handy, but parsing it
anywhere but in Rails is difficult and *updating* it outside of Rails is more
difficult.
—Matt Jones
On May 17, 2014, at 9:12 AM, Gabriel
Earlier, someone proposed on the GH issues tracker that Rails default all
cookies to HttpOnly[1]. Rails already makes the session cookie HttpOnly,
but given a general to keep Rails secure-by-default, it would probably be
best if *all* cookies defaulted to HttpOnly. This would be a
