I am using Brakeman gem to analyse my ruby-on-rails app code.
It have the following High level security warning:
Warning Type | Message |
--------------------------------------------------------------------------
Session Setting | Session cookies should be set to HTTP only near line 3 |
According to the documentation, setting the httponly attribute to true, rather than false(default value), inside the config/initializers/session_sotre.rb removes this warning(it worked for me).
Can someone explain what is happening? Why is it solving this problem? is setting the value to true can cause a problem?
By default, Rails sets the HTTPOnly flag on session cookies. This flag disallows JavaScript from reading the cookie (see here for details) and thus prevents cross-site scripting attacks from accessing the cookie. In the case of session cookies, it prevents the stealing/hijacking sessions via cross-site scripting.
Setting httponly: false in the session store options turns off this protection. You can either set it to true or don't set it at all (in which case the default is still true).
However, if an application needs to access the session cookie from JavaScript for some reason, then you have to turn off the httponly option. This should be pretty rare, however.