Merge pull request #739 from azylman/master

Fixes #733 - parse x-forwarded-proto more generally
senchalabs · Feb 12, 2013 · 9afeb1f · 9afeb1f
2 parents 7dbd875 + fb96f99
commit 9afeb1f
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 3 deletions.
diff --git a/lib/middleware/session.js b/lib/middleware/session.js
@@ -248,7 +248,7 @@ function session(options){
     res.on('header', function(){
       if (!req.session) return;
       var cookie = req.session.cookie
-        , proto = (req.headers['x-forwarded-proto'] || '').toLowerCase()
+        , proto = (req.headers['x-forwarded-proto'] || '').split(',')[0].toLowerCase().trim()
         , tls = req.connection.encrypted || (trustProxy && 'https' == proto)
         , secured = cookie.secure && tls
         , isNew = unsignedCookie != req.sessionID;
@@ -312,7 +312,7 @@ function session(options){
 
       // error handling
       if (err) {
-        debug('error');
+        debug('error' + JSON.stringify(err));
         if ('ENOENT' == err.code) {
           generate();
           next();

diff --git a/test/session.js b/test/session.js
@@ -32,7 +32,7 @@ describe('connect.session()', function(){
 
   describe('proxy option', function(){
     describe('when enabled', function(){
-      it('should trust X-Forwarded-Proto', function(done){
+      it('should trust X-Forwarded-Proto when string', function(done){
         var app = connect()
           .use(connect.cookieParser())
           .use(connect.session({ secret: 'keyboard cat', proxy: true, cookie: { secure: true, maxAge: 5 }}))
@@ -46,6 +46,21 @@ describe('connect.session()', function(){
           done();
         });
       })
+
+      it('should trust X-Forwarded-Proto when comma-separated list', function(done){
+        var app = connect()
+          .use(connect.cookieParser())
+          .use(connect.session({ secret: 'keyboard cat', proxy: true, cookie: { secure: true, maxAge: 5 }}))
+          .use(respond);
+
+        app.request()
+        .get('/')
+        .set('X-Forwarded-Proto', 'https,http')
+        .end(function(res){
+          res.headers.should.have.property('set-cookie');
+          done();
+        });
+      })
     })
 
     describe('when disabled', function(){