Provide a configurable flag (:flag_cookies_as_secure) so that users o…

…f Rack-SSL can disable the flag_cookies_as_secure functionality. This is useful for rails apps that require SSL, but whose cookies need to be readable by third party systems that do not force SSL.

lib/rack/ssl.rb

@@ -16,8 +16,9 @@ def initialize(app, options = {})
       @hsts = {} if @hsts.nil? || @hsts == true
       @hsts = self.class.default_hsts_options.merge(@hsts) if @hsts
 
-      @exclude = options[:exclude]
-      @host    = options[:host]
+      @exclude                = options[:exclude]
+      @host                   = options[:host]
+      @flag_cookies_as_secure = {:flag_cookies_as_secure => true}.merge(options)[:flag_cookies_as_secure]
     end
 
     def call(env)
@@ -26,7 +27,7 @@ def call(env)
       elsif scheme(env) == 'https'
         status, headers, body = @app.call(env)
         headers = hsts_headers.merge(headers)
-        flag_cookies_as_secure!(headers)
+        flag_cookies_as_secure!(headers) if @flag_cookies_as_secure
         [status, headers, body]
       else
         redirect_to_https(env)

test/test_ssl.rb

@@ -81,6 +81,13 @@ def test_flag_cookies_as_secure
       last_response.headers['Set-Cookie'].split("\n")
   end
 
+  def test_do_not_flag_cookies_as_secure
+    self.app = Rack::SSL.new(default_app, :flag_cookies_as_secure => false)
+    get "https://example.org/"
+    assert_equal ["id=1; path=/", "token=abc; path=/; secure; HttpOnly" ],
+      last_response.headers['Set-Cookie'].split("\n")
+  end
+
   def test_flag_cookies_as_secure_at_end_of_line
     self.app = Rack::SSL.new(lambda { |env|
       headers = {