Cookies are read and written through ActionController#cookies.

The cookies being read are the ones received along with the request, the cookies being written will be sent out with the response. Reading a cookie does not get the cookie object itself back, just the value it holds.

Examples for writing: 

  # Sets a simple session cookie.
  # This cookie will be deleted when the user's browser is closed.
  cookies[:user_name] = "david"

  # Assign an array of values to a cookie.
  cookies[:lat_lon] = [47.68, -122.37]

  # Sets a cookie that expires in 1 hour.
  cookies[:login] = { :value => "XJ-122", :expires => 1.hour.from_now }

  # Sets a signed cookie, which prevents a user from tampering with its value.
  # The cookie is signed by your app's <tt>config.secret_token</tt> value.
  # Rails generates this value by default when you create a new Rails app.
  cookies.signed[:user_id] = current_user.id

  # Sets a "permanent" cookie (which expires in 20 years from now).
  cookies.permanent[:login] = "XJ-122"

  # You can also chain these methods:
  cookies.permanent.signed[:login] = "XJ-122"

Examples for reading: 

  cookies[:user_name] # => "david"
  cookies.size        # => 2
  cookies[:lat_lon]   # => [47.68, -122.37]

Example for deleting: 

  cookies.delete :user_name

Please note that if you specify a :domain when setting a cookie, you must also specify the domain when deleting the cookie: 

 cookies[:key] = {
   :value => 'a yummy cookie',
   :expires => 1.year.from_now,
   :domain => 'domain.com'
 }

 cookies.delete(:key, :domain => 'domain.com')

The option symbols for setting cookies are:

  • :value - The cookie’s value or list of values (as an array).
  • :path - The path for which this cookie applies. Defaults to the root of the application.
  • :domain - The domain for which this cookie applies so you can restrict to the domain level. If you use a schema like www.example.com and want to share session with user.example.com set :domain to :all. Make sure to specify the :domain option with :all again when deleting keys. 
      :domain => nil  # Does not sets cookie domain. (default)
  :domain => :all # Allow the cookie for the top most level
                    domain and subdomains.
  • :expires - The time at which this cookie expires, as a Time object.
  • :secure - Whether this cookie is a only transmitted to HTTPS servers. Default is false.
  • :httponly - Whether this cookie is accessible via scripting or only HTTP. Defaults to false.
Methods
C
N
Classes and Modules
Constants
HTTP_HEADER = "Set-Cookie".freeze
TOKEN_KEY = "action_dispatch.secret_token".freeze
Class Public methods
new(app)

Source: show | on GitHub 

     # File actionpack/lib/action_dispatch/middleware/cookies.rb, line 332
332:     def initialize(app)
333:       @app = app
334:     end
Instance Public methods
call(env)

Source: show | on GitHub 

     # File actionpack/lib/action_dispatch/middleware/cookies.rb, line 336
336:     def call(env)
337:       cookie_jar = nil
338:       status, headers, body = @app.call(env)
339: 
340:       if cookie_jar = env['action_dispatch.cookies']
341:         cookie_jar.write(headers)
342:         if headers[HTTP_HEADER].respond_to?(:join)
343:           headers[HTTP_HEADER] = headers[HTTP_HEADER].join("\n")
344:         end
345:       end
346: 
347:       [status, headers, body]
348:     end