-
Notifications
You must be signed in to change notification settings - Fork 189
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cookie not set when secure option is given in session_store. #132
Comments
Please do investigate. Neither we know why this is happening. |
@khajabhanu any new findings on this? I'm experiencing the exact same problem. Appeared when I updated several gems. |
Oh, just realized that 'secure' option means that the session cookies will only be send over a HTTPS connection. So that's why it was missing from the response when doing HTTP request. |
Any solution here? |
Below is my code in session_store.rb
Rails.application.config.session_store :active_record_store , key: '_test_key', secure: :true
Browser receiving below response headers when requests rails application with above configuration:
Cache-Control:no-cache
Content-Type:text/html; charset=utf-8
Date:Fri, 10 Aug 2018 10:46:51 GMT
Location:https://xxxxx-xxxx.com/home
Server:nginx/1.12.2 + Phusion Passenger 5.2.3
Status:302 Found
Transfer-Encoding:chunked
X-Content-Type-Options:nosniff
X-Frame-Options:SAMEORIGIN
X-Powered-By:Phusion Passenger 5.2.3
X-Request-Id:xxxxxxxxxxxe5-7f1a2bb20b23
X-Runtime:1.191833
X-XSS-Protection:1; mode=block
Issue is "Set-Cookie" header is missing in response which will be sent to the application in the next request to validate as it is 302 status code.
when I remove "secure" from configuration as below "cookie" is sent
Rails.application.config.session_store :active_record_store , key: '_test_key'
And response is:
Cache-Control:no-cache
Content-Type:text/html; charset=utf-8
Date:Fri, 10 Aug 2018 10:38:05 GMT
Location:https://xxxxxx-wspbx.com/home
Server:nginx/1.12.2 + Phusion Passenger 5.2.3
Set-Cookie:_test_key=06b1bd1397fa64af1eb9c9ed4d2e0b0b; path=/; HttpOnly
Status:302 Found
Transfer-Encoding:chunked
X-Content-Type-Options:nosniff
X-Frame-Options:SAMEORIGIN
X-Powered-By:Phusion Passenger 5.2.3
X-Request-Id:xxxxxxxxxxxxxxxxx7-58e1baab7dc8
X-Runtime:1.207210
X-XSS-Protection:1; mode=block
Need to know what makes the "Set-Cookie" not to be sent to browser when "secure" option is provided for session_store.
The text was updated successfully, but these errors were encountered: