ruby 8 lines · 1 tab

Session cookie hardening for browser based authentication

Kai Nakamura Apr 2026
1 tab
Rails.application.config.session_store(
  :cookie_store,
  key: '_codesnips_session',
  secure: Rails.env.production?,
  httponly: true,
  same_site: :lax,
  expire_after: 8.hours,
)
1 file · ruby Explain with highlit

Sessions are fine when they are treated like security-sensitive state. I set HttpOnly, Secure, and SameSite deliberately, rotate session identifiers after login, and keep idle timeout separate from absolute timeout. Weak cookie settings are still a common avoidable compromise path.

Share this code

Here's the card — post it anywhere.

Session cookie hardening for browser based authentication — share card
Link copied