#150 new

Security improvement

Reported by Jurand | October 3rd, 2009 @ 06:26 PM

Currently, there is no possibility to set "SECURE" and "HTTPONLY" flags to Authlogic's session cookie. To do this I had to monkey patch Authlogic plugin. Such a feature will be very handy. Below is my monkey patch:

module Authlogic
module Session

module Cookies
  module InstanceMethods
    def save_cookie
      controller.cookies[cookie_key] = {
        :value => "#{record.persistence_token}::#{record.send(record.class.primary_key)}",
        :expires => remember_me_until,
        :domain => controller.cookie_domain,
        :secure => true,
        :httponly => true

end end

Comments and changes to this ticket

  • Peter Lyons

    Peter Lyons November 15th, 2010 @ 11:53 PM

    • Milestone order changed from “0” to “0”

    Any update on this over a year later? I have this exact same need. Jurand, could you tell me exactly where you inserted that monkey patch code?

  • David Reese

    David Reese November 15th, 2010 @ 11:58 PM

    Peter, just add it as a file in the config/initializers/ directory. (generally a great place for monkey patches!) It will get picked up & monkey-patches correctly from there.

  • David Reese

    David Reese November 15th, 2010 @ 11:59 PM

    Ah, and I did one of these:

    :secure => RAILS_ENV == 'production'

    which makes things easier in development

  • Peter Lyons

    Peter Lyons November 16th, 2010 @ 12:27 AM

    Thanks for the tips, David. I was able to get it working! On the same note, any idea how to set these same 2 flags for the main rails session cookie?

  • Thanos

    Thanos November 15th, 2018 @ 06:13 AM

    I like the blog here it is the very nice so getting the here https://solitaire-klondike.net latest card game this is the amazing free online klondike solitaire games so join hurry and start the best fun forever thanks.

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

Object based authentication solution that handles all of the non sense for you. It's as easy as ActiveRecord is with a database.