【问题标题】:Cookie is not set when secure option is enabled in rails session_store configuration?在 rails session_store 配置中启用安全选项时未设置 Cookie?
【发布时间】:2018-08-10 13:12:29
【问题描述】:

下面是我在 session_store.rb 中的代码

Rails.application.config.session_store :active_record_store ,  key: '_test_key', secure: :true

当请求具有上述配置的rails应用程序时,浏览器接收到以下响应标头:

Cache-Control:no-cache
Content-Type:text/html; charset=utf-8
Date:Fri, 10 Aug 2018 10:46:51 GMT
Location:https://xxxxx-xxxx.com/home
Server:nginx/1.12.2 + Phusion Passenger 5.2.3
Status:302 Found
Transfer-Encoding:chunked
X-Content-Type-Options:nosniff
X-Frame-Options:SAMEORIGIN
X-Powered-By:Phusion Passenger 5.2.3
X-Request-Id:xxxxxxxxxxxe5-7f1a2bb20b23
X-Runtime:1.191833
X-XSS-Protection:1; mode=block

问题是响应中缺少“Set-Cookie”标头,该标头将在下一个请求中发送到应用程序进行验证,因为它是 302 状态代码。

当我从配置中删除“安全”时,发送“cookie”

Rails.application.config.session_store :active_record_store ,  key: '_test_key'

响应是:

Cache-Control:no-cache
Content-Type:text/html; charset=utf-8
Date:Fri, 10 Aug 2018 10:38:05 GMT
Location:https://xxxxxx-wspbx.com/home
Server:nginx/1.12.2 + Phusion Passenger 5.2.3
SetCookie-:_test_key=06b1bd1397fa64af1eb9c9ed4d2e0b0b; path=/; HttpOnly
Status:302 Found
Transfer-Encoding:chunked
X-Content-Type-Options:nosniff
X-Frame-Options:SAMEORIGIN
X-Powered-By:Phusion Passenger 5.2.3
X-Request-Id:xxxxxxxxxxxxxxxxx7-58e1baab7dc8
X-Runtime:1.207210
X-XSS-Protection:1; mode=block 

当为 session_store 提供“安全”选项时,是什么导致“Set-Cookie”不发送到浏览器?

【问题讨论】:

    标签: https passenger ruby-on-rails-4.1


    【解决方案1】:

    您现在可能已经想通了,但以防万一,secure: true 将只允许通过加密的 HTTPS (SSL/TLS) 连接发送 cookie,而您很可能在本地没有这种连接。

    你可以这样做:

    Rails.application.config.session_store :active_record_store ,  key: '_test_key', secure: !(Rails.env.development? || Rails.env.test?)
    

    只要production 使用 ssl,它就可以工作,您可能需要添加: config.force_ssl = true 给你的production.rb

    https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Session_Management_Cheat_Sheet.md#secure-attribute

    【讨论】:

      【解决方案2】:

      我通过这个猴子补丁解决了它,而不是指定安全::真:

      require 'rack/utils'
      module Rack
        module Utils
          def self.set_cookie_header!(header, key, value)
            case value
            when Hash
              domain  = "; domain="  + value[:domain] if value[:domain]
              path    = "; path="    + value[:path]   if value[:path]
              max_age = "; max-age=" + value[:max_age] if value[:max_age]
              expires = "; expires=" +
                  rfc2822(value[:expires].clone.gmtime) if value[:expires]
      
              # Make always secure
              # secure = "; secure"  if value[:secure]
              secure = "; secure"
      
              httponly = "; HttpOnly" if value[:httponly]
              same_site =
                  case value[:same_site]
                  when false, nil
                    nil
                  when :none, 'None', :None
                    '; SameSite=None'
                  when :lax, 'Lax', :Lax
                    '; SameSite=Lax'
                  when true, :strict, 'Strict', :Strict
                    '; SameSite=Strict'
                  else
                    raise ArgumentError, "Invalid SameSite value: #{value[:same_site].inspect}"
                  end
              value = value[:value]
            end
            value = [value] unless Array === value
            cookie = escape(key) + "=" +
                value.map { |v| escape v }.join("&") +
                "#{domain}#{path}#{max_age}#{expires}#{secure}#{httponly}#{same_site}"
      
            case header["Set-Cookie"]
            when nil, ''
              header["Set-Cookie"] = cookie
            when String
              header["Set-Cookie"] = [header["Set-Cookie"], cookie].join("\n")
            when Array
              header["Set-Cookie"] = (header["Set-Cookie"] + [cookie]).join("\n")
            end
      
            nil
          end
        end
      end
      

      【讨论】:

        猜你喜欢
        • 1970-01-01
        • 2017-03-03
        • 1970-01-01
        • 1970-01-01
        • 2015-05-22
        • 2022-09-27
        • 2017-01-07
        • 1970-01-01
        • 1970-01-01
        相关资源
        最近更新 更多