I have noticed that the session cookie is not set to secure, how to turn the secure flag on for Phoenix sessions?
1 Like
You should have something like this in your endpoint:
plug Plug.Session,
store: :cookie,
key: "_hello_key",
signing_salt: "change_me"
This uses Plug.Session. One of the options is secure which can be passed as an option to the plug.
plug Plug.Session,
store: :cookie,
+ secure: true,
key: "_hello_key",
signing_salt: "change_me"
13 Likes
This isn’t default? It really should be default! It’s not like it’s useful to javascript anyway considering it is encoded… ^.^;
4 Likes
They are different things.
secure means that the cookie should only be sent over HTTPS (this defaults to true in plug if using HTTPS, but won’t be true if you use HTTP behind a load balancer.)
I think the configuration you are referring to is http-only which determines if the cookie is available to JavaScript or not, which does default to true for cookie storage.
7 Likes
Ah, could use a more descriptive name (:send_of_https_only or so) I’d say. 
The names come from the spec.
8 Likes
Ah cool! That should be linked in the docs with more of an explanation!
5 Likes
That’s more like general knowledge related to web development in general, than related to any framework really.
Is something you should/can know without touching Phoenix at all.
2 Likes
What to when we want to put some session cookie based on env?
I am currently using this
@dev_env? Application.compile_env(:core, [:app_env], :prod) in ["dev", :dev]
@session_options (case(!!@dev_env?) do
true ->
[
max_age: 120 * 60 * 60,
store: OPSWeb.Session.Store,
key: "_OPSWeb_",
signing_salt: "OPSWeb="
]
false ->
[
max_age: 120 * 60 * 60,
store: OPSWeb.Session.Store,
key: "_OPSWeb_",
signing_salt: "OPSWeb=",
secure: true,
http_only: true
]
end)
but when I want to get session options via function or compile env it fails
see issue
