Secure cookie flag forced #20
Comments
|
Hello, Yes I think it's ok to add this option is ok (with the false default like you said) if we add some documentation/warning about it. The pull request is welcome (as always!). Thanks! |
|
Closing this, feel free to open a pull-request, thanks! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello,
I wanted to talk to you about a problem I had with SslEnforcer recently. I could fork it and make a pull request as it is easy to change but I wanted to have your opinion before.
Basically I needed to share a cookie based session between http and https on an application and the only way I found so far is to have a non secure cookie. Unfortunately SslEnforcer inevitably sets the secure flag on cookies.
I perfectly understand why the flag is forced and the security breach behind that but I thought that leaving the option (obviously defaulting to false) would not be that bad considering the fact that it is still possible to encode the information by passing a coder class to Rack::Session::Cookie with the :coder option.
https://github.com/rack/rack/blob/master/lib/rack/session/cookie.rb#L28-42
Please let me know what you think about that.
Thank you very much,
mig
The text was updated successfully, but these errors were encountered: