config.force_ssl should mark the session as secure.

2012-01-12 20:46:54 +01:00 · 2012-01-12 20:46:54 +01:00 · d6933a1e9f
parent d393e46149
commit d6933a1e9f
2 changed files with 33 additions and 0 deletions
--- a/railties/lib/rails/application.rb
+++ b/railties/lib/rails/application.rb
@ -258,6 +258,9 @@ module Rails
        middleware.use ::ActionDispatch::Cookies

        if config.session_store
+          if config.force_ssl && !config.session_options.key?(:secure)
+            config.session_options[:secure] = true
+          end
          middleware.use config.session_store, config.session_options
          middleware.use ::ActionDispatch::Flash
        end
--- a/railties/test/application/middleware/session_test.rb
+++ b/railties/test/application/middleware/session_test.rb
@ -0,0 +1,30 @@
+# encoding: utf-8
+require 'isolation/abstract_unit'
+require 'rack/test'
+
+module ApplicationTests
+  class MiddlewareSessionTest < ActiveSupport::TestCase
+    include ActiveSupport::Testing::Isolation
+    include Rack::Test::Methods
+
+    def setup
+      build_app
+      boot_rails
+      FileUtils.rm_rf "#{app_path}/config/environments"
+    end
+
+    def teardown
+      teardown_app
+    end
+
+    def app
+      @app ||= Rails.application
+    end
+
+    test "config.force_ssl sets cookie to secure only" do
+      add_to_config "config.force_ssl = true"
+      require "#{app_path}/config/environment"
+      assert app.config.session_options[:secure], "Expected session to be marked as secure"
+    end
+  end
+end