I notice that Rails 2.2 (currently edge) supports setting HttpOnly on the session cookie.
Is there a way of setting it on a Rails 2.1 application without moving to edge/2.2?
A:
Set the http_only option to true in the cookie's options hash:
cookies['visits'] = { :value => '20', :http_only => true }
John Topley
2008-09-30 15:14:47
Thanks John - that works for cookies that are set manually, but not for the session cookie.
tomtaylor
2008-09-30 15:23:25
Oh, sorry - I didn't read the question closely enough!
John Topley
2008-09-30 15:49:44
+1
A:
Well it isn't supported, as you note, but you can of course monkey-patch Rails to do what you want. Actually, the difference between directly patching your Rails v. monkey-patching in this case is very little, as either would be removed/reverted when you upgrade to 2.2.
In both cases you would look at that applied diff as a guide for patching 2.1 yourself - either through applying the patch directly (modulo any 2.1/edge differences), or by reopening those classes from your own code post-environment-loading to apply the changes.
James Baker
2008-09-30 20:07:13
+1
A:
I have written a monkey patch to add this support to Rails 2.1, from the patch for Rails 2.2.
I've not tested on anything other than Rails 2.1, and your mileage may vary!
tomtaylor
2008-10-01 14:20:46