GitHub User: RogerE
Site: http://blog.ertesvag.no/
-
watch on iTunes
-
follow on Twitter
-
follow on Facebook
-
subscribe to RSS feed
watch on iTunes
follow on Twitter
follow on Facebook
subscribe to RSS feed
Device, and probably most other Rails authentication solutions, uses Rails built in sessions. To make the Rails session cookie secure in production add the following to the 'Application.config.session_store' setting in 'session_store.rb':
secure: Rails.env == 'production'
Also, if you are using Rememberable, you should have the following setting in 'devise.rb':
config.rememberable_options = {:secure => Rails.env == 'production'}
Note that even with 'config.force_ssl = true' the cookie will be sent in the clear in the first request if someone chooses to access to site without https, so to be secure you should always use secure cookies. It's also a good idea to set the session cookie to HttpOnly to avoid cross site scripting.