Bros, can we have a rack 1.4.0 release? If so, let me know, I will run Rails using Rack from master to make double sure we don't have a regression and ping you back if everything pass.
We should give the issues another round before that. I'll see if I can make some time for that.
I've done a bunch of the pull requests today. I'll try and get to issues this evening.
I have a couple of semi-blockers, so it might not happen this weekend.
José: do you have an opinion on #272 ?
I have mixed feelings, but I don't know how often this has come up in your community.
I am worried that the more correct action is to clear all cookies, but, with this specific replication - that would result in loss of tracking, and users logged out.
I doubt, without XSS open, that clearing all cookies could be abused?
I have never seen this coming up in exceptions (hoptoad and the like) but what would be the reasoning in cleaning all cookies? I'd just ignore the ones that are invalid instead.
Btw, tks for working on a 1.4.0 release! <3 <3
Well, the problem is, you potentially have a corrupted session if one or more cookies are broken. We could hand this on to the apps, but it's a bit like handing someone a knife with the blade pointing at the palm of their hand. Don't get me wrong, I'm all for giving developers knives, but saying "here catch" seems a little less fair.
Well, clearing it all should also be fine. My assumption is that the broken cookie would not be set by the app, so we could ignore it without affecting the others. If you have a broken cookie setup you should be able to catch in development, the only problem is when it comes accidentally from other entities and we would not like to clear everything.
José thanks again for checking this out today. Release will happen shortly!