Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
The rails session cookie is HttpOnly by default but the remember_user_token cookie set by Devise’s Rememberable module is not.
As I understand it that cookie when sent will result in the user being issued a new session cookie, so surely it’s as vulnerable to XSS.
So is there any way to set it to HttpOnly?
With the help of @camonz on #rubyonrails I came up with this monkey patch:
https://gist.github.com/749289
In Devise 1.1.3 the cookie options are hardcoded so a monkey patch is all I could think would work.
However, Devise 1.2rc looks like it will allow configuration because it pulls in
resource.cookie_options(e.g. pulling cookie_options from the User model, so you should be able to set it there somehow – haven’t figured that out yet).P.S. I haven’t figured out how to test this yet. To test manually in Chrome switch to the tab the cookie is set in, open Developer Tools with Alt + Cmd + I, switch to the Storage tab, click the item under ‘Cookies’ (localhost in my case), and look at the HTTP column. There’ll be a tick if the cookie is HttpOnly. For reference the rails session cookie, called
_session_idby default, is HttpOnly by default.