Permalink
Browse files

Don't write out secure cookies unless the request is secure

  • Loading branch information...
pixeltrix committed Oct 22, 2010
1 parent e9d593b commit 909c860a429eb603078d58cbedbad8613ba1ae2e
@@ -98,17 +98,19 @@ class CookieJar < Hash #:nodoc:
def self.build(request)
secret = request.env[TOKEN_KEY]
host = request.host
+ secure = request.ssl?
- new(secret, host).tap do |hash|
+ new(secret, host, secure).tap do |hash|
hash.update(request.cookies)
end
end
- def initialize(secret = nil, host = nil)
+ def initialize(secret = nil, host = nil, secure = false)
@secret = secret
@set_cookies = {}
@delete_cookies = {}
@host = host
+ @secure = secure
super()
end
@@ -193,9 +195,15 @@ def signed
end
def write(headers)
- @set_cookies.each { |k, v| ::Rack::Utils.set_cookie_header!(headers, k, v) }
+ @set_cookies.each { |k, v| ::Rack::Utils.set_cookie_header!(headers, k, v) if write_cookie?(v) }
@delete_cookies.each { |k, v| ::Rack::Utils.delete_cookie_header!(headers, k, v) }
end
+
+ private
+
+ def write_cookie?(cookie)
+ @secure || !cookie[:secure] || Rails.env.development?
+ end
end
class PermanentCookieJar < CookieJar #:nodoc:
@@ -47,6 +47,11 @@
require 'pp' # require 'pp' early to prevent hidden_methods from not picking up the pretty-print methods until too late
module Rails
+ class << self
+ def env
+ @_env ||= ActiveSupport::StringInquirer.new(ENV["RAILS_ENV"] || ENV["RACK_ENV"] || "test")
+ end
+ end
end
# Monkey patch the old routes initialization to be silenced.
@@ -48,6 +48,11 @@ def authenticate_with_http_only
head :ok
end
+ def authenticate_with_secure
+ cookies["user_name"] = { :value => "david", :secure => true }
+ head :ok
+ end
+
def set_permanent_cookie
cookies.permanent[:user_name] = "Jamie"
head :ok
@@ -129,6 +134,26 @@ def test_setting_cookie_with_http_only
assert_equal({"user_name" => "david"}, @response.cookies)
end
+ def test_setting_cookie_with_secure
+ @request.env["HTTPS"] = "on"
+ get :authenticate_with_secure
+ assert_cookie_header "user_name=david; path=/; secure"
+ assert_equal({"user_name" => "david"}, @response.cookies)
+ end
+
+ def test_setting_cookie_with_secure_in_development
+ Rails.env.stubs(:development?).returns(true)
+ get :authenticate_with_secure
+ assert_cookie_header "user_name=david; path=/; secure"
+ assert_equal({"user_name" => "david"}, @response.cookies)
+ end
+
+ def test_not_setting_cookie_with_secure
+ get :authenticate_with_secure
+ assert_not_cookie_header "user_name=david; path=/; secure"
+ assert_not_equal({"user_name" => "david"}, @response.cookies)
+ end
+
def test_multiple_cookies
get :set_multiple_cookies
assert_equal 2, @response.cookies.size
@@ -275,4 +300,13 @@ def assert_cookie_header(expected)
assert_equal expected.split("\n"), header
end
end
+
+ def assert_not_cookie_header(expected)
+ header = @response.headers["Set-Cookie"]
+ if header.respond_to?(:to_str)
+ assert_not_equal expected.split("\n").sort, header.split("\n").sort
+ else
+ assert_not_equal expected.split("\n"), header
+ end
+ end
end

0 comments on commit 909c860

Please sign in to comment.