Lev*_*ets 4 ruby session rack httponly sinatra
我正在使用Ruby和Sinatra开发一个应用程序.
我用
enable :sessions
为了使用rack提供的会话变量.如何使所有会话cookie成为HTTPOnly?这是默认的吗?我找不到任何关于此的文件.
而不是enable :sessions:
use Rack::Session::Cookie, {:httponly => true }
我建议使用encrypted_cookie gem,它更安全.举个例子,这是我可能对项目有的东西:
# app/main.rb
module Example
class App < Sinatra::Base # this class in its own file
# stuff here
end
end
# app/config.rb
require "main"
module Example
def self.app #
Rack::Builder.app do
cookie_settings = {
:key => 'usr',
:path => "/",
:expire_after => 86400, # In seconds, 1 day.
:secret => ENV["COOKIE_KEY"], # load this into the environment of the server
:httponly => true
}
cookie_settings.merge!( :secure => true ) if ENV["RACK_ENV"] == "production"
# AES encryption of cookies
use Rack::Session::EncryptedCookie, cookie_settings
# other stuff here
run App
end
end
end
# config.ru
require "app/config"
run Example.app # this in the rackup file
(为了澄清为什么我这样做了 - 这种结构允许我拆分应用程序,只需要app/config.rb就可以更轻松地使用它.YMMV)