stackoom
  简体   繁体   中英

Sending HTTPOnly cookie in response using Rails API application

 原文  2020-01-13 23:52:28       ruby-on-rails/ rails-api/ httponly/ cookie-httponly

Question

Correct me if I'm wrong but cookies are just special Set-Cookie: headers, right? Maybe I'm missing something but that always seemed like the case to me. If I set up a Rails API application and want to support sending HTTPOnly cookies (eg headers also assume I've got CORS and everything on the client setup etc) I should be able to do this correct?

Basically, my questions are these:

  1. Does bringing back ActionDispatch::Cookies into my middleware and adding include ::ActionController::Cookies in my application controller totally defeat the purpose of an API application?
  2. If it does, can I just send an HTTPOnly cookie through the headers manually?
  3. And if that is so, is it a much bigger hassle to manage cookie headers manually? Is what I'm gaining from leaving the cookie middleware out out weigh handling them manually, if all I really need to do is send one HTTPOnly refresh token?

1 answers

solution1
 1 ACCPTED  2020-01-21 02:22:00

So I don't need to add back any middleware or include any classes for cookies. I can use reponse.set_header to send a cookie. However, this only lets you send one Set-Cookie header because it will overwrite the last header you set with Set-Cookie as the key. Instead you have access to response.set_cookie which will let you set multiple cookies with each set_cookie call. It also comes with some options that you can set that you would have to add to the value of the header you were sending manually with set_header .

Here's an example I used that allowed me to send a cookie:

response.set_cookie(
  :jwt,
  {
    value: 'this could be a token or whatever cookie value you wanted.',
    expires: 7.days.from_now,
    path: '/api/v1/auth',
    httponly: true
  }
)

Check the documentation for this method for other options because there are others.

EDIT: I was having an issue where the cookie was getting sent in the response but not saved (still). It wasn't showing up in the cookie storage so I changed the path of the cookie getting sent to / and then it showed up. I deleted it and then changed the cookie's path to /my/real/path and it worked and was stored in cookie storage. Go figure.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question session cookie httponly false rails 3.1 Rails Set-Cookie on json API response How do I set HttpOnly on a session cookie in Rails 2.1? How do I set the HttpOnly flag on a cookie in Ruby on Rails Is possible to secure a Rails API using session cookie Sending cookie from Rails API to Ionic build, Ionic doesn't receive the cookie Cookie overflow in rails application? sending params using post in rails to an external application Using Fetch API with Rails application? rails application not sending email
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM