Permalink
Browse files

Don't write out secure cookies unless the request is secure

  • Loading branch information...
pixeltrix committed Oct 22, 2010
1 parent cdce5fc commit 2d5a12a50bcd83fcc99865de759b82e661b28698
@@ -98,17 +98,19 @@ class CookieJar < Hash #:nodoc:
def self.build(request)
secret = request.env[TOKEN_KEY]
host = request.host
+ secure = request.ssl?
- new(secret, host).tap do |hash|
+ new(secret, host, secure).tap do |hash|
hash.update(request.cookies)
end
end
- def initialize(secret = nil, host = nil)
+ def initialize(secret = nil, host = nil, secure = false)
@secret = secret
@set_cookies = {}
@delete_cookies = {}
@host = host
+ @secure = secure
super()
end
@@ -193,9 +195,15 @@ def signed
end
def write(headers)
- @set_cookies.each { |k, v| ::Rack::Utils.set_cookie_header!(headers, k, v) }
+ @set_cookies.each { |k, v| ::Rack::Utils.set_cookie_header!(headers, k, v) if write_cookie?(v) }
@delete_cookies.each { |k, v| ::Rack::Utils.delete_cookie_header!(headers, k, v) }
end
+
+ private
+
+ def write_cookie?(cookie)
+ @secure || !cookie[:secure] || Rails.env.development?

This comment has been minimized.

Show comment Hide comment
@josevalim

josevalim Oct 27, 2010

Contributor

We should check first if Rails is defined. "defined?(Rails.env) && Rails.env.development?"

@josevalim

josevalim Oct 27, 2010

Contributor

We should check first if Rails is defined. "defined?(Rails.env) && Rails.env.development?"

This comment has been minimized.

Show comment Hide comment
@pixeltrix

pixeltrix Oct 27, 2010

Member

Done here and here.

+ end
end
class PermanentCookieJar < CookieJar #:nodoc:
@@ -47,6 +47,11 @@
require 'pp' # require 'pp' early to prevent hidden_methods from not picking up the pretty-print methods until too late
module Rails
+ class << self
+ def env
+ @_env ||= ActiveSupport::StringInquirer.new(ENV["RAILS_ENV"] || ENV["RACK_ENV"] || "test")
+ end
+ end
end
ActiveSupport::Dependencies.hook!
@@ -135,11 +135,25 @@ def test_setting_cookie_with_http_only
end
def test_setting_cookie_with_secure
+ @request.env["HTTPS"] = "on"
get :authenticate_with_secure
assert_cookie_header "user_name=david; path=/; secure"
assert_equal({"user_name" => "david"}, @response.cookies)
end
+ def test_setting_cookie_with_secure_in_development
+ Rails.env.stubs(:development?).returns(true)
+ get :authenticate_with_secure
+ assert_cookie_header "user_name=david; path=/; secure"
+ assert_equal({"user_name" => "david"}, @response.cookies)
+ end
+
+ def test_not_setting_cookie_with_secure
+ get :authenticate_with_secure
+ assert_not_cookie_header "user_name=david; path=/; secure"
+ assert_not_equal({"user_name" => "david"}, @response.cookies)
+ end
+
def test_multiple_cookies
get :set_multiple_cookies
assert_equal 2, @response.cookies.size
@@ -286,4 +300,13 @@ def assert_cookie_header(expected)
assert_equal expected.split("\n"), header
end
end
+
+ def assert_not_cookie_header(expected)
+ header = @response.headers["Set-Cookie"]
+ if header.respond_to?(:to_str)
+ assert_not_equal expected.split("\n").sort, header.split("\n").sort
+ else
+ assert_not_equal expected.split("\n"), header
+ end
+ end
end

0 comments on commit 2d5a12a

Please sign in to comment.