diff options
| author | Prem Sichanugrist <s@sikachu.com> | 2011-03-27 23:55:46 +0700 |
|---|---|---|
| committer | David Heinemeier Hansson <david@loudthinking.com> | 2011-03-27 13:27:23 -0700 |
| commit | 2c0c4d754e34b13379dfc53121a970c25fab5dae (patch) | |
| tree | a911462aeb8f1bd2e8df9d255708d074cfdf37ce /railties/guides/source/security.textile | |
| parent | b2d94322e6f2c2324154465147938ca8b16c610d (diff) | |
| download | rails-2c0c4d754e34b13379dfc53121a970c25fab5dae.tar.gz rails-2c0c4d754e34b13379dfc53121a970c25fab5dae.tar.bz2 rails-2c0c4d754e34b13379dfc53121a970c25fab5dae.zip | |
Add `config.force_ssl` configuration which will load `Rack::SSL` middleware if set to true
This will allow user to be able to force all requests to be under HTTPS protocol.
This commit was a request from DHH. Special thanks to Josh Peek as well for making `Rack::SSL`.
Diffstat (limited to 'railties/guides/source/security.textile')
| -rw-r--r-- | railties/guides/source/security.textile | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/railties/guides/source/security.textile b/railties/guides/source/security.textile index 182f3631ef..893f65856c 100644 --- a/railties/guides/source/security.textile +++ b/railties/guides/source/security.textile @@ -57,7 +57,11 @@ Many web applications have an authentication system: a user provides a user name Hence, the cookie serves as temporary authentication for the web application. Everyone who seizes a cookie from someone else, may use the web application as this user – with possibly severe consequences. Here are some ways to hijack a session, and their countermeasures: -* Sniff the cookie in an insecure network. A wireless LAN can be an example of such a network. In an unencrypted wireless LAN it is especially easy to listen to the traffic of all connected clients. This is one more reason not to work from a coffee shop. For the web application builder this means to _(highlight)provide a secure connection over SSL_. +* Sniff the cookie in an insecure network. A wireless LAN can be an example of such a network. In an unencrypted wireless LAN it is especially easy to listen to the traffic of all connected clients. This is one more reason not to work from a coffee shop. For the web application builder this means to _(highlight)provide a secure connection over SSL_. In Rails 3.1 and later, this could be accomplished by always forcing SSL connection in your application config file: + +<ruby> +config.force_ssl = true +</ruby> * Most people don't clear out the cookies after working at a public terminal. So if the last user didn't log out of a web application, you would be able to use it as this user. Provide the user with a _(highlight)log-out button_ in the web application, and _(highlight)make it prominent_. |