Project

rack-potentially-secure-cookies

0.0
Repository is archived
No commit activity in last 3 years
No release in over 3 years
rack-potentially-secure-cookiesgaqzi/rack-potentially-secure-cookiesHomepageDocumentationSource CodeBug TrackerWiki
Force the secure bit of a cookie depending on whether your connection is secure
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Popularity
Downloads
15,357
Stars
3
Forks
1
Watchers
1
 Releases
Current version
1.0.1
Total releases
1
First release
2015-12-10
Latest release
2015-12-10
 Development
Primary Language
Ruby
Licenses
MIT
Average date of last 50 commits
2015-10-11
Reverse Dependencies
0

 Dependencies

Runtime

rack
>= 0
 Project Readme

Rack::PotentiallySecureCookie

This is a Rack middleware for one very specific purpose;

You have a site running on a server that can be accessed through both HTTP and HTTPS. Whichever method the user accesses the site she'll never change. So if you access the site the first time through HTTPS you will continue to do so.

Because security we needed a way to ensure that the cookie flag Secure was being set whenever our users accesses the site through HTTPS, and to ensure it was not set when accessing through HTTP as the users couldn't login then.

An example of this is:

  • The site is running on a secured server deep in the middle of a datacenter
  • This site serves the public internet and because of this there's SSL termination in front of the site
  • The same site is also being used internally at the company, under a split-view setup and these users are not able to go through the SSL termination
  • Since it would be wasteful to run the server with multiple instances of the app only to configure the secure cookie setting something to dynamically set this needed to be done

Installation and configuration

This is available as a gem so just add to your Gemfile:

gem 'rack-potentially-secure-cookies', require: 'rack/potentially_secure_cookies'

In your environment.rb (or maybe environments/production.rb) add the middleware:

config.middleware.insert_before(ActionDispatch::Cookies,
                                Rack::PotentiallySecureCookies,
                                ['_session_id'])

The last argument is an array of cookies to force this configuration on.

License

MIT License