Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Add :insecure_cookies option to exclude cookies from being marked secure

  • Loading branch information...
commit d95c77a3b283dd46cfcb74454abcc8ec15d86de8 1 parent 6a6c15d
@bkeepers authored
Showing with 14 additions and 4 deletions.
  1. +6 −4 lib/rack/ssl.rb
  2. +8 −0 test/test_ssl.rb
View
10 lib/rack/ssl.rb
@@ -16,9 +16,10 @@ def initialize(app, options = {})
@hsts = {} if @hsts.nil? || @hsts == true
@hsts = self.class.default_hsts_options.merge(@hsts) if @hsts
- @exclude = options[:exclude]
- @host = options[:host]
- @port = options[:port]
+ @exclude = options[:exclude]
+ @host = options[:host]
+ @port = options[:port]
+ @insecure_cookies = Array(options[:insecure_cookies])
end
def call(env)
@@ -78,7 +79,8 @@ def flag_cookies_as_secure!(headers)
end
headers['Set-Cookie'] = cookies.map { |cookie|
- if cookie !~ /; secure(;|$)/
+ name = cookie.split('=', 2).first
+ if cookie !~ /; secure(;|$)/ && !@insecure_cookies.include?(name)
"#{cookie}; secure"
else
cookie
View
8 test/test_ssl.rb
@@ -117,6 +117,14 @@ def test_no_cookies
assert !last_response.headers['Set-Cookie']
end
+ def test_insecure_cookies
+ self.app = Rack::SSL.new(default_app, :insecure_cookies => ['id'])
+
+ get "https://example.org/"
+ assert_equal ["id=1; path=/", "token=abc; path=/; secure; HttpOnly" ],
+ last_response.headers['Set-Cookie'].split("\n")
+ end
+
def test_redirect_to_host
self.app = Rack::SSL.new(default_app, :host => "ssl.example.org")
get "http://example.org/path?key=value"
Please sign in to comment.
Something went wrong with that request. Please try again.