ruby
8 lines · 1 tab
Kai Nakamura
Apr 2026
1 tab
Rails.application.config.session_store(
:cookie_store,
key: '_codesnips_session',
secure: Rails.env.production?,
httponly: true,
same_site: :lax,
expire_after: 8.hours,
)
1 file · ruby
Explain with highlit
Sessions are fine when they are treated like security-sensitive state. I set HttpOnly, Secure, and SameSite deliberately, rotate session identifiers after login, and keep idle timeout separate from absolute timeout. Weak cookie settings are still a common avoidable compromise path.
Share this code
Here's the card — post it anywhere.