How to instruct Phoenix to set secure flag (HTTPS only) on session cookie?

I have noticed that the session cookie is not set to secure, how to turn the secure flag on for Phoenix sessions?

1 Like

You should have something like this in your endpoint:

  plug Plug.Session,
    store: :cookie,
    key: "_hello_key",
    signing_salt: "change_me"

This uses Plug.Session. One of the options is secure which can be passed as an option to the plug.

  plug Plug.Session,
    store: :cookie,
+   secure: true,
    key: "_hello_key",
    signing_salt: "change_me"
11 Likes

This isn’t default? It really should be default! It’s not like it’s useful to javascript anyway considering it is encoded… ^.^;

3 Likes

They are different things.

secure means that the cookie should only be sent over HTTPS (this defaults to true in plug if using HTTPS, but won’t be true if you use HTTP behind a load balancer.)

I think the configuration you are referring to is http-only which determines if the cookie is available to JavaScript or not, which does default to true for cookie storage.

7 Likes

Ah, could use a more descriptive name (:send_of_https_only or so) I’d say. :slight_smile:

The names come from the spec.

Secure: https://tools.ietf.org/html/rfc6265#section-5.2.5

HttpOnly: https://tools.ietf.org/html/rfc6265#section-5.2.6

7 Likes

Ah cool! That should be linked in the docs with more of an explanation! :slight_smile:

5 Likes

That’s more like general knowledge related to web development in general, than related to any framework really.

Is something you should/can know without touching Phoenix at all.

2 Likes