Relationship between the Rails cookie object, the Cookie HTTP header, and document.cookie_问答_开发者

Relationship between the Rails cookie object, the Cookie HTTP header, and document.cookie

开发者 https://www.devze.com 2023-02-06 01:58 出处：网络

When I access document.cookie in Javascript, it spits out, say: \'user_credentials=5beea8874f2db9feb873828\'

When I access document.cookie in Javascript, it spits out, say:

'user_credentials=5beea8874f2db9feb873828'

Basically, what appears to be some encoded informatio开发者_如何学编程n. Fine.

When I look at the headers, I do see that exact same string being set to user_credentials, but there's also another value being set for _myapplication_session=BAh7CiIQX. Unlike with user_credentials, this one includes capital letters and letters after F.

So:

What is _myapplication_session? Is this related to the session object in Rails?
Why doesn't _myapplication_session show up with Javascript document.cookie?

What is _myapplication_session? Is this related to the session object in Rails?

Yes, this is the way Rails identifies user sessions.

Why doesn't _myapplication_session show up with Javascript document.cookie?

I believe Rails sets httponly=>true on session cookies, which means they are (generally) not accessible using client-side scripts, as described in this SO thread.