About HTTP-only cookies in Ruby on rails.

Hi all,

I am a security researcher at University of Virginia, I am currently
doing research on HTTP-only cookie deployment. May I ask do ruby on
rails support HTTP-only cookies, if yes, what is the default
configuration for ruby on rails? In other words, do the HTTP servers
need to set HTTP-only manually or it applies automatically?

Many thanks in advance,

Yuchen

Hi all,

I am a security researcher at University of Virginia, I am currently
doing research on HTTP-only cookie deployment. May I ask do ruby on
rails support HTTP-only cookies, if yes, what is the default
configuration for ruby on rails? In other words, do the HTTP servers
need to set HTTP-only manually or it applies automatically?

Session cookies have been http-only by default for a while. If you
create extra cookies by yourself then it's up to you to decide whether
you want them http-only or not.

Fred