allow secure session cookies through proxy or to localhost

lib/rack/session/abstract/id.rb

@@ -257,6 +257,7 @@ def initialize(app, options = {})
           @app = app
           @default_options = self.class::DEFAULT_OPTIONS.merge(options)
           @key = @default_options.delete(:key)
+          @assume_ssl = @default_options.delete(:assume_ssl)
           @cookie_only = @default_options.delete(:cookie_only)
           @same_site = @default_options.delete(:same_site)
           initialize_sid
@@ -368,7 +369,7 @@ def force_options?(options)
 
         def security_matches?(request, options)
           return true unless options[:secure]
-          request.ssl?
+          request.ssl? || @assume_ssl == true
         end
 
         # Acquires the session from the environment and the session id from

test/spec_session_abstract_persisted.rb

@@ -68,4 +68,28 @@ def session_exists?(req)
   it "#delete_session raises" do
     proc { @pers.send(:delete_session, nil, nil, nil) }.must_raise RuntimeError
   end
+
+  describe '#security_matches?' do
+
+    it '#security_matches? returns true if secure cookie is off' do
+      @pers.send(:security_matches?, Rack::Request.new({}), {}).must_equal true
+    end
+
+    it '#security_matches? returns true if ssl is on' do
+      req = Rack::Request.new({})
+      req.set_header('HTTPS', 'on')
+      @pers.send(:security_matches?, req, { secure: true }).must_equal true
+    end
+
+    it '#security_matches? returns true if assume_ssl option is set' do
+      req = Rack::Request.new({})
+      pers_with_persist = @class.new(nil, { assume_ssl: true })
+      pers_with_persist.send(:security_matches?, req, { secure: true }).must_equal true
+    end
+
+    it '#security_matches? returns false if secure cookie is on, but not ssl or assume_ssl' do
+      @pers.send(:security_matches?, Rack::Request.new({}), { secure: true }).must_equal false
+    end
+
+  end
 end