I have noticed that the session cookie is not set to secure
, how to turn the secure
flag on for Phoenix sessions?
You should have something like this in your endpoint:
plug Plug.Session,
store: :cookie,
key: "_hello_key",
signing_salt: "change_me"
This uses Plug.Session. One of the options is secure
which can be passed as an option to the plug.
plug Plug.Session,
store: :cookie,
+ secure: true,
key: "_hello_key",
signing_salt: "change_me"
This isn’t default? It really should be default! It’s not like it’s useful to javascript anyway considering it is encoded… ^.^;
They are different things.
secure
means that the cookie should only be sent over HTTPS (this defaults to true
in plug if using HTTPS, but won’t be true if you use HTTP behind a load balancer.)
I think the configuration you are referring to is http-only
which determines if the cookie is available to JavaScript or not, which does default to true
for cookie storage.
Ah, could use a more descriptive name (:send_of_https_only
or so) I’d say.
The names come from the spec.
Ah cool! That should be linked in the docs with more of an explanation!
That’s more like general knowledge related to web development in general, than related to any framework really.
Is something you should/can know without touching Phoenix at all.
What to when we want to put some session cookie based on env?
I am currently using this
@dev_env? Application.compile_env(:core, [:app_env], :prod) in ["dev", :dev]
@session_options (case(!!@dev_env?) do
true ->
[
max_age: 120 * 60 * 60,
store: OPSWeb.Session.Store,
key: "_OPSWeb_",
signing_salt: "OPSWeb="
]
false ->
[
max_age: 120 * 60 * 60,
store: OPSWeb.Session.Store,
key: "_OPSWeb_",
signing_salt: "OPSWeb=",
secure: true,
http_only: true
]
end)
but when I want to get session options via function or compile env it fails
see issue