views:

657

answers:

3

The page http://www.codinghorror.com/blog/archives/001167.html explains why making HttpOnly cookies is a good idea

How do I set this property in RubyOnRails

+4  A: 

Just set :http_only to true as described in the changelog.

Michael Haren
+12  A: 

Set the 'http_only' option in the hash used to set a cookie

e.g.

cookies["user_name"] = { :value => "david", :http_only => true }

Laurie Young
+1  A: 

I also wrote a patch that is included in Rails 2.2, which defaults the CookieStore session to be http_only.

Unfortunately session cookies are still by default regular cookies.

Pelle