Hi all,
I am a security researcher at University of Virginia, I am currently doing research on HTTP-only cookie deployment. May I ask do ruby on rails support HTTP-only cookies, if yes, what is the default configuration for ruby on rails? In other words, do the HTTP servers need to set HTTP-only manually or it applies automatically?
Many thanks in advance,
Yuchen
Hi all,
I am a security researcher at University of Virginia, I am currently doing research on HTTP-only cookie deployment. May I ask do ruby on rails support HTTP-only cookies, if yes, what is the default configuration for ruby on rails? In other words, do the HTTP servers need to set HTTP-only manually or it applies automatically?
Session cookies have been http-only by default for a while. If you create extra cookies by yourself then it's up to you to decide whether you want them http-only or not.
Fred