Permalink
Browse files

Provide a configurable flag (:flag_cookies_as_secure) so that users o…

…f Rack-SSL can disable the flag_cookies_as_secure functionality. This is useful for rails apps that require SSL, but whose cookies need to be readable by third party systems that do not force SSL.
  • Loading branch information...
freerobby committed Nov 9, 2012
1 parent e07a9de commit 7102aaa16da26188de69f862ca25cf6ec814e156
Showing with 11 additions and 3 deletions.
  1. +4 −3 lib/rack/ssl.rb
  2. +7 −0 test/test_ssl.rb
View
@@ -16,8 +16,9 @@ def initialize(app, options = {})
@hsts = {} if @hsts.nil? || @hsts == true
@hsts = self.class.default_hsts_options.merge(@hsts) if @hsts
- @exclude = options[:exclude]
- @host = options[:host]
+ @exclude = options[:exclude]
+ @host = options[:host]
+ @flag_cookies_as_secure = {:flag_cookies_as_secure => true}.merge(options)[:flag_cookies_as_secure]
end
def call(env)
@@ -26,7 +27,7 @@ def call(env)
elsif scheme(env) == 'https'
status, headers, body = @app.call(env)
headers = hsts_headers.merge(headers)
- flag_cookies_as_secure!(headers)
+ flag_cookies_as_secure!(headers) if @flag_cookies_as_secure
[status, headers, body]
else
redirect_to_https(env)
View
@@ -81,6 +81,13 @@ def test_flag_cookies_as_secure
last_response.headers['Set-Cookie'].split("\n")
end
+ def test_do_not_flag_cookies_as_secure
+ self.app = Rack::SSL.new(default_app, :flag_cookies_as_secure => false)
+ get "https://example.org/"
+ assert_equal ["id=1; path=/", "token=abc; path=/; secure; HttpOnly" ],
+ last_response.headers['Set-Cookie'].split("\n")
+ end
+
def test_flag_cookies_as_secure_at_end_of_line
self.app = Rack::SSL.new(lambda { |env|
headers = {

0 comments on commit 7102aaa

Please sign in to comment.