Sign in through GitHub

Please read for an updated status on RailsCasts:

Learn more or hide this

Roger Ertesvåg's Profile

GitHub User: RogerE

Site: http://blog.ertesvag.no/

Comments by Roger Ertesvåg

Avatar

Device, and probably most other Rails authentication solutions, uses Rails built in sessions. To make the Rails session cookie secure in production add the following to the 'Application.config.session_store' setting in 'session_store.rb':

secure: Rails.env == 'production'

Also, if you are using Rememberable, you should have the following setting in 'devise.rb':

config.rememberable_options = {:secure => Rails.env == 'production'}

Avatar

Note that even with 'config.force_ssl = true' the cookie will be sent in the clear in the first request if someone chooses to access to site without https, so to be secure you should always use secure cookies. It's also a good idea to set the session cookie to HttpOnly to avoid cross site scripting.