未设置安全会话 cookie [英] Secure session cookie is not set
问题描述
我正在尝试将会话 cookie 安全标志设置为 true.我将以下内容添加到我的环境/production.rb
I'm trying to set the session cookie secure flag to true. I added the following to my environments/production.rb
ActionController::Base.session_options[:secure] = true
在生产模式下,我在服务器响应中看不到 set-cookie 标头(我正在使用 Tamper Data Firefox 工具查看流量).我尝试删除所有 cookie,手动设置包括子域在内的域(因为域在许多应用程序之间共享,所以 appache 服务器将请求转发到正确的应用程序,因此应用程序服务器总是收到请求,就好像它来自 localhost).我也尝试在开发模式下测试它,我假设服务器至少应该设置 cookie,即使请求是通过 http 但浏览器不会通过 http 发送 cookie 但服务器不会再次发送 set-cookie 标头.如果我不设置安全标志,会话就可以正常工作.我在这里遗漏了什么吗?
In the production mode I don't see the set-cookie header in the server response (I'm using the Tamper Data Firefox tool to view the traffic). I tried removing all cookies, manually setting the domain including the child domain(since domain is shared among many applications, the appache server forwards the requests to the right application and thus the request is always received by the application server as if it's coming from localhost). I also tried to test it in development mode, I assume the server should at least set the cookie even if the request is over http but the browser won't send the cookie over http but again the server does not send the set-cookie header. The session works just fine if I don't set the secure flag. Am I missing something here?
推荐答案
我发现在我的 actionpack 版本中,会话 cookie 只能通过 ssl 设置.尽管根据定义,服务器可以在请求通过 http 时设置安全 cookie,但浏览器不会将其与进一步的请求一起发送.在我的应用程序中,我没有在应用程序级别而是在 appache 级别强制执行 ssl,因此 rails 发出的初始请求是通过 http 并且未设置 cookie.
I found out that in my version of actionpack, session cookies are only set over ssl. Although by definition, the server can set a secure cookie when the request is over http but the browser will not send it with further requests. In my application I don't enforce ssl on the app level but on the appache level instead so the initial request made by rails is over http and the cookie is not set.
这篇关于未设置安全会话 cookie的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
