Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Provide a configurable flag (:flag_cookies_as_secure) so that users of Rack-SSL can disable the flag_cookies_as_secure functionality. #20

Closed
wants to merge 2 commits into from

2 participants

@freerobby

Provide a configurable flag (:flag_cookies_as_secure) so that users of Rack-SSL can disable the flag_cookies_as_secure functionality. This is useful for rails apps that require SSL, but whose cookies need to be readable by third party systems that do not force SSL.

I reverse-merged the options hash with {:flag_cookies_as_secure => true} so that the default behavior would remain unchanged.

freerobby added some commits
@freerobby freerobby Provide a configurable flag (:flag_cookies_as_secure) so that users o…
…f Rack-SSL can disable the flag_cookies_as_secure functionality. This is useful for rails apps that require SSL, but whose cookies need to be readable by third party systems that do not force SSL.
7102aaa
@freerobby freerobby Update README with instructions for disabling flag_cookies_as_secure cc58f06
@josh
Owner

This is useful for rails apps that require SSL, but whose cookies need to be readable by third party systems that do not force SSL.

This middleware ain't for you then.

@josh josh closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Nov 9, 2012
  1. @freerobby

    Provide a configurable flag (:flag_cookies_as_secure) so that users o…

    freerobby authored
    …f Rack-SSL can disable the flag_cookies_as_secure functionality. This is useful for rails apps that require SSL, but whose cookies need to be readable by third party systems that do not force SSL.
  2. @freerobby
This page is out of date. Refresh to see the latest.
Showing with 12 additions and 4 deletions.
  1. +1 −1  README.md
  2. +4 −3 lib/rack/ssl.rb
  3. +7 −0 test/test_ssl.rb
View
2  README.md
@@ -5,7 +5,7 @@ Force SSL/TLS in your app.
1. Redirects all "http" requests to "https"
2. Set `Strict-Transport-Security` header
-3. Flag all cookies as "secure"
+3. Flag all cookies as "secure" (this can be disabled by setting `:flag_cookies_as_secure => false` in the `options` hash)
Usage
-----
View
7 lib/rack/ssl.rb
@@ -16,8 +16,9 @@ def initialize(app, options = {})
@hsts = {} if @hsts.nil? || @hsts == true
@hsts = self.class.default_hsts_options.merge(@hsts) if @hsts
- @exclude = options[:exclude]
- @host = options[:host]
+ @exclude = options[:exclude]
+ @host = options[:host]
+ @flag_cookies_as_secure = {:flag_cookies_as_secure => true}.merge(options)[:flag_cookies_as_secure]
end
def call(env)
@@ -26,7 +27,7 @@ def call(env)
elsif scheme(env) == 'https'
status, headers, body = @app.call(env)
headers = hsts_headers.merge(headers)
- flag_cookies_as_secure!(headers)
+ flag_cookies_as_secure!(headers) if @flag_cookies_as_secure
[status, headers, body]
else
redirect_to_https(env)
View
7 test/test_ssl.rb
@@ -81,6 +81,13 @@ def test_flag_cookies_as_secure
last_response.headers['Set-Cookie'].split("\n")
end
+ def test_do_not_flag_cookies_as_secure
+ self.app = Rack::SSL.new(default_app, :flag_cookies_as_secure => false)
+ get "https://example.org/"
+ assert_equal ["id=1; path=/", "token=abc; path=/; secure; HttpOnly" ],
+ last_response.headers['Set-Cookie'].split("\n")
+ end
+
def test_flag_cookies_as_secure_at_end_of_line
self.app = Rack::SSL.new(lambda { |env|
headers = {
Something went wrong with that request. Please try again.