Skip to content

Instantly share code, notes, and snippets.

@will

will/a.md

Created November 17, 2016 21:04
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save will/05cb64dc343296dec4d58b1abbab7aaf to your computer and use it in GitHub Desktop.
Save will/05cb64dc343296dec4d58b1abbab7aaf to your computer and use it in GitHub Desktop.
Download ZIP
SameSite strict cookies in rails and pliny/sinatra
Raw
a.md

SameSite=strict cookies is another layer to help prevent CSRF attacts in newer browsers

Rails

(at least 5, no clue about earlier versions)

--- a/config/initializers/session_store.rb
+++ b/config/initializers/session_store.rb
@@ -1,3 +1,3 @@
 # Be sure to restart your server when you modify this file.

-Rails.application.config.session_store :cookie_store, key: '_session'
+Rails.application.config.session_store :cookie_store, key: '_session', same_site: :strict

Pliny/sinatra

Unfortunately at this time, the easiest way would be to use Rack2, but pliny has a dependency on sinatra ~> 1.4 which has a dep on rack ~> 1.5, so we'll need to wait for sinatra 2 to come out of beta and then for pliny to update it's dependency.

Some links: https://tools.ietf.org/html/draft-west-first-party-cookies-06#section-4.1.1 https://chloe.re/2016/04/13/goodbye-csrf-samesite-to-the-rescue/ https://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/

@rezen
Copy link

rezen commented Nov 14, 2017
edited 

# For sinatra
#...
use Rack::Session::Cookie, 
        :key          => '_session', 
        :httponly     => true,
        :same_site    => :strict,
        :path         => '/',
        :expire_after => 60 * 60,
        :secret       => Config::get('session_secret')

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment