In Rails 6.0.3.1 Is there a way to natively set the Rails session cookie same site attribute without resorting to using a gem such as the secure headers gem?
Throw this before_action in your ApplicationController:
response.headers['SameSite'] = 'Lax'
Edit: my answer was for Rails 5.2, and wrong. Setting same_site: :lax in your session_store.rb file does work.
I don't have a solution to my specific problem so I upgraded my application to use Rails 6.1 which has a new initializer file called new_framework_defaults_6_1.rb which has the following. self explanatory comments that solve my issue.
I do NOT believe that every single Rails application should upgrade to Rails 6.1 to solve this and Rails team need to solve this urgently so I am posting my answer but not accepting it in the hope that someone may have a more appropriate answer for anyone else looking to solve this.
# Specify cookies SameSite protection level: either :none, :lax, or :strict.
#
# This change is not backwards compatible with earlier Rails versions.
# It's best enabled when your entire app is migrated and stable on 6.1.
Rails.application.config.action_dispatch.cookies_same_site_protection = :lax
Related
Specifically...
I don't understand how in a new Rails 5.2 app, if you enter the console and check Rails.application.config.action_controller.default_protect_from_forgery it'll return true
...but an upgraded Rails 5.2 app, if you enter the console and check Rails.application.config.action_controller.default_protect_from_forgery it'll return nil (unless you've manually set in config/initializers/new_framework_defaults_5_2.rb)
This GitHub comment mentions this behavior, but I don't understand how this works & I haven't been able to find any documentation yet.
WIP Update: This issue seems like the point where it was decided to not include new_framework_defaults* files in newly generated apps. Then this pull request mentions that new_framework_defaults_* files are only kept on a rolling basis. I'm still looking into why/how...
To load the defaults (i.e config/initializers/new_framework_defaults_5_2.rb) in Rails 5.2, make the following change in application.rb
config.load_defaults 5.2
Then remove new_framework_defaults_5_2.rb from initializers
config.load_defaults Rails::VERSION::STRING.to_f
will solve the problem forever )
So I just upgraded from Ruby 1.8.7 to 1.9.3. Then from rails 2.3.18 to rails 3.0.20 but I'm running into this error
A secret is required to generate an integrity hash for cookie session data. Use config.secret_token = "some secret phrase of at least 30 characters"in config/initializers/secret_token.rb
I have searched and seen all of the questions about this that say you need to add
MyApp::Application.config.secret_token = 'secret'
and I have that in my config/initializers/secret_token.rb. What else could give me this error?
I also have:
MyApp::Application.config.session_store :cookie_store, :key => 'some_key'
in my config/initializers/session_store.rb
I believe I could have missed something during my upgrade which is causing this error?
EDIT:
I was missing this in my environment.rb
TheHockeyCommunity::Application.initialize!
Now its working fine!
Cheers
It's likely you're missing some of the changes to the config files that you need in Rails 3 and your intitializer isn't being included. I made the same upgrade recently, you can check my changes. There's a lot of changes there that won't be useful to you, but pay attention to any changes to files at the root of the application and under config.
Also, make sure you have your app name (matching the initialize! line in config/environment.rb) and not "MyApp".
For some reason the session cookie on my app is not being set properly in production. This problem seemed to have just appeared overnight, with no changes on my end that I can think of. There is only one domain involved.
A session cookie is set when I run the app in development on localhost, so there is something strange happening with the server. If I inspect the cookies on the server side, it gives me a list, but the cookie is not being set in the browser. Also, I can manually create a test cookie on the server side, and it shows up on the browser. It's only the session cookie that is not showing up.
I tried changing the session store from memcached to cookiestore, which doesn't seem to have helped - still no session cookie. So I don't think it's the session_store code.
Using Rails 4.0.2 and passenger 4.0.19 with whatever version of nginx it installs. ruby 1.9.3. Any help would be appreciated - I'm completely stumped.
They already fix this in github repo, and is being release at any moment.
Anyway, if someone is in rails2, and still has this bug, or don't want to update Passenger, we could fixed it doing:
class ApplicationController < ActionController::Base
after_filter :set_headers
def set_headers
response.headers["Date"] = "#{Time.now.utc}"
end
end
UPDATE
Here it is the official post explaining what happened.
I've just update Phusion Passenger gem to 4.0.30. it is quite straight forward and has the fix for this bug. Oficial Instruction here
I recently upgraded a site from Ruby 1.8.7 to Ruby 1.9.2, and from Rails 3.0.x to 3.2.x. I noticed that some of my legacy urls weren't being handled correctly anymore, and wanted to diagnose the issue.
Here's what I noticed.
http://myapp.com/links/oldlink.html had, in my old app, provided a params[:path] of /links/oldlink.html, but now is providing links/oldlink. So it's dropping the leading forwardslash as well as the file extension.
Can anyone help me figure out what's going on here? Of course I can manually change the legacy strings in my database to also drop their forward slashes and file extensions, but that seems like a hacky solution, and I want to make sure I understand the underlying principles that account for this change in the Rails routing behavior.
Thanks!
You should try this in your routes.rb
match '/foo', :to => redirect('/foo.html')
I've got a Rails 3.2.3 app with the default_locale set to :nl. When I start the app using Thin or Unicorn, the app's locale is set to :en. When I use Webrick, the locale is correctly set to :nl.
This change is triggered by a commit that updates several third-party gems, although I have not been able to single out any one gem upgrade in particular -- I can reverse each of them individually and get the same result. However, when I checkout the offending commit's parent, all is well too.
When I run the app on a remote server in production mode, it all works fine, so it seems to be local to my machine.
I have removed every single installed gem and re-installed them all, which made no difference.
Does anyone have any idea what might trigger this behaviour? And especially why using webrick or unicorn would make a difference?
Edit: I have pinpointed the bug to be triggered by upgrading Draper from 0.11 to 0.12 (issue at Github). Not sure if it is also the cause.
http://labs.revelationglobal.com/2009/11/13/unicorn_and_i18n.html
This problem has occured to me before wich was triggered by the "active_admin" gem you might want to use an earlier version to prevent this, I do not really know wich one so you can play around with it a little.
another option would be to set the active_admin locale in a before_filter,
config.before_filter :set_admin_locale
And set_admin_locale is in the application_controller:
def set_admin_locale
I18n.locale = :nl
end
hope it helped
I managed to track this problem down to a bad practice in my own Rails app that caused a bug by upgrading the Draper gem. There's a full explanation in the Draper documentation.