Permalink
Browse files

config.force_ssl should mark the session as secure.

  • Loading branch information...
1 parent a677701 commit d2093250501ab2089843c86c9c88bc6c818a38c3 @josevalim josevalim committed Jan 12, 2012
View
@@ -1,5 +1,9 @@
## Rails 3.1.4 (unreleased) ##
+* Setting config.force_ssl also marks the session cookie as secure.
+
+ *José Valim*
+
* Add therubyrhino to Gemfile in new applications when running under JRuby.
*Guillermo Iguaran*
@@ -35,6 +39,8 @@
Plugins developers need to special case their initializers that are
meant to be run in the assets group by adding :group => :assets.
+ *José Valim*
+
## Rails 3.1.0 (August 30, 2011) ##
@@ -175,6 +175,9 @@ def default_middleware_stack
middleware.use ::ActionDispatch::Cookies
if config.session_store
+ if config.force_ssl && !config.session_options.key?(:secure)
+ config.session_options[:secure] = true
+ end
middleware.use config.session_store, config.session_options
middleware.use ::ActionDispatch::Flash
end
@@ -0,0 +1,30 @@
+# encoding: utf-8
+require 'isolation/abstract_unit'
+require 'rack/test'
+
+module ApplicationTests
+ class MiddlewareSessionTest < ActiveSupport::TestCase
@androbtech

androbtech Jan 13, 2012

Shouldn't MiddlewareSessionTest be a subclass of Test::Unit::TestCase instead?

Ah, missed it, forgot what version of rb MRI I was running against. Can't remember but I think activesupport wasn't being loaded somehow.

+ include ActiveSupport::Testing::Isolation
+ include Rack::Test::Methods
+
+ def setup
+ build_app
+ boot_rails
+ FileUtils.rm_rf "#{app_path}/config/environments"
+ end
+
+ def teardown
+ teardown_app
+ end
+
+ def app
+ @app ||= Rails.application
+ end
+
+ test "config.force_ssl sets cookie to secure only" do
+ add_to_config "config.force_ssl = true"
+ require "#{app_path}/config/environment"
+ assert app.config.session_options[:secure], "Expected session to be marked as secure"
+ end
+ end
+end

0 comments on commit d209325

Please sign in to comment.