This project is archived and is in readonly mode.

#5629 ✓committed
W. Andrew Loe III

Secure Cookies should only be transmitted over SSL

Reported by W. Andrew Loe III | September 13th, 2010 @ 10:34 PM

If a cookie is marked 'secure' it should only be sent to the browser over SSL or else it may be intercepted.

This can be confusing (especially in development mode) because it will no-op if the request is not SSL and it can be hard to track down to :secure => true in the session options.

I am setting the flag as 'secure', older versions of Rails have set it to 'Secure' but I cannot find a spec that specifies if the capitalization matters.

Comments and changes to this ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href=""></a>