设置“安全"即使通过 HTTP 在 RoR 中的会话 cookie 上标记 [英] Set "secure" flag on session cookie in RoR even over HTTP
问题描述
在 Rails 应用程序中,会话 cookie 可以轻松设置为包含 secure cookie 属性,当通过 HTTPS 发送时,以确保 cookie 不会通过非 HTTP 连接泄漏.
In a Rails app, the session cookie can be easily set to include the secure cookie attribute, when sending over HTTPS to ensure that the cookie is not leaked over a non-HTTP connection.
但是,如果 Rails 应用程序不使用 HTTPS,而仅使用 HTTP,则它似乎根本没有设置 cookie.
虽然这确实有一定道理,但在这种情况下,有一个单独的前端负载平衡器,它负责终止 SSL 连接.从 LB 到 Rails 应用程序,连接仅是 HTTP.
However, if the Rails app is NOT using HTTPS, but HTTP only, it seems that it doesnt even set the cookie at all.
While this does make some sense, in this scenario there is a seperate front end load balancer, which is responsible for terminating the SSL connection. From the LB to the Rails app, the connection is HTTP only.
如何强制 Rails 应用设置 secure cookie,即使不使用 HTTPS?
How can I force the Rails app to set a secure cookie, even when not using HTTPS?
推荐答案
根据定义,安全 cookie 不会通过非安全连接发送.
Secure cookies are not sent over non-secure connections by definition.
在上游终止 SSL 是很常见的,但是您需要传递某些头字段,以便 Rails 知道并且可以做正确的事情.
Terminating SSL upstream is quite common, but you need to pass certain header fields through so that Rails knows and can do the right thing.
这是一份文档,解释了nginx 的配置非常详细.搜索设置标题"以跳转到描述您需要通过的特定标题的部分.
Here's a document that explains the configuration in pretty good detail for nginx. Search for "Set headers" to jump to the section describing the specific headers you need to pass through.
使用此配置存在安全注意事项,例如,如果终止 SSL 的设备与 Rails 主机不在同一个安全 LAN 上,那么您就有漏洞.
There are security considerations using this configuration, e.g., if the device terminating SSL is not on the same secure LAN as the Rails host, then you have a vulnerability.
这篇关于设置“安全"即使通过 HTTP 在 RoR 中的会话 cookie 上标记的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
