Ruby on Rails Security – Protection Flags on Session Cookies


When an unsuspecting user visits the site, the JavaScript executes, stealing the ‘sessionId’ cookie and sending it to the malicious user. Using the victim’s session ID, the malicious user can hijack the victim’s session and perform actions on their behalf.

Solution and Fix:

Add the ‘HttpOnly’ flag to the Set-Cookie directive for the session ID. When we  tag a cookie with the HttpOnly flag, it tells the browser that this particular cookie should only be accessed by the server. Any attempt to access the cookie from client script is strictly forbidden. Of course, this presumes you have:

  1. A modern web browser
  2. A browser that actually implements HttpOnly correctly

Example and Testing:

The following details are extracted from the ‘Live HTTP Headers’

Before setting the ‘HttpOnly’ flag:-

Set-Cookie: sessionId=EUID%3DLTU3Zjg3YTA3OjEzNj

After setting the ‘HttpOnly’ flag:-

Set-Cookie: sessionId=EUID%3DLTU3Zjg3YTA3OjEzNj; HttpOnly

Links for References:-



One thought on “Ruby on Rails Security – Protection Flags on Session Cookies”

Comments are closed.