Shouldn't Rails add the secure flag automatically for the cookie store when request.ssl?

Hi, currently Rails apps will have something like this by default in the initializers:

Rails.application.config.session_store :cookie_store, key: '_my_app_session'

This will not set the "secure" flag in the _my_app_session cookie. It can be set by providing the {secure: true} option to session_store, but this happens at boot time rather than at request time. This has two problems in my opinion:

1 - Rails isn't safe by default (to the extent of an secure cookie);

2 - It's not possible to serve the same application over different domains when one of them is served over HTTPS and other over HTTP (unless insecure cookies are used for both); this could be useful for some multi-tenant applications that will customize any views or behavior based on the request's domain, while some clients are willing to use a certificate while others are not (maybe managing free Let's Encrypt certificates would not be desired and not all clients are willing to pay for the certificates).

To fix the second case, Rails could introduce a {secure: :if_ssl} or {conditionally_secure: true} option to allow the secure flag to be set if request.ssl? is true. The first case would be fixed making this option the default one.

What do you think?

Best,

Rodrigo.

Hi, if you want to use only HTTPS with all secure options, I recommend you to uncomment the default production environment option in config/environments/production.rb :

Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.

config.force_ssl = true

Rails provide the complete secure HTTPS stack :

  • secure flag in session cookie,
  • Http Strict-Transport-Security,
  • redirect http to htttps.

Cheers,
Florian

Unfortunately this won’t work for the cases where the same application serves multiple domains but only some of them have an SSL certificate. Also it can’t be enabled by default since not everyone is serving over HTTPS. What I suggested can be enabled by default out of the box improving security a little bit by default without breaking http apps.