RailsCasts Pro episodes are now free!

Learn more or hide this

Roger Ertesvåg's Profile

GitHub User: RogerE

Site: http://blog.ertesvag.no/

Comments by Roger Ertesvåg


Device, and probably most other Rails authentication solutions, uses Rails built in sessions. To make the Rails session cookie secure in production add the following to the 'Application.config.session_store' setting in 'session_store.rb':

secure: Rails.env == 'production'

Also, if you are using Rememberable, you should have the following setting in 'devise.rb':

config.rememberable_options = {:secure => Rails.env == 'production'}


Note that even with 'config.force_ssl = true' the cookie will be sent in the clear in the first request if someone chooses to access to site without https, so to be secure you should always use secure cookies. It's also a good idea to set the session cookie to HttpOnly to avoid cross site scripting.