Skip to content

Commit

Permalink
Introduce assume_ssl option to allow secure session cookies through…
Browse files Browse the repository at this point in the history
… insecure proxy (#41)
  • Loading branch information
jrmcgarvey authored and ioquatix committed Jan 4, 2025
1 parent 178daa3 commit abb6b62
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 1 deletion.
3 changes: 2 additions & 1 deletion lib/rack/session/abstract/id.rb
Original file line number Diff line number Diff line change
Expand Up @@ -257,6 +257,7 @@ def initialize(app, options = {})
@app = app
@default_options = self.class::DEFAULT_OPTIONS.merge(options)
@key = @default_options.delete(:key)
@assume_ssl = @default_options.delete(:assume_ssl)
@cookie_only = @default_options.delete(:cookie_only)
@same_site = @default_options.delete(:same_site)
initialize_sid
Expand Down Expand Up @@ -368,7 +369,7 @@ def force_options?(options)

def security_matches?(request, options)
return true unless options[:secure]
request.ssl?
request.ssl? || @assume_ssl == true
end

# Acquires the session from the environment and the session id from
Expand Down
24 changes: 24 additions & 0 deletions test/spec_session_abstract_persisted.rb
Original file line number Diff line number Diff line change
Expand Up @@ -68,4 +68,28 @@ def session_exists?(req)
it "#delete_session raises" do
proc { @pers.send(:delete_session, nil, nil, nil) }.must_raise RuntimeError
end

describe '#security_matches?' do

it '#security_matches? returns true if secure cookie is off' do
@pers.send(:security_matches?, Rack::Request.new({}), {}).must_equal true
end

it '#security_matches? returns true if ssl is on' do
req = Rack::Request.new({})
req.set_header('HTTPS', 'on')
@pers.send(:security_matches?, req, { secure: true }).must_equal true
end

it '#security_matches? returns true if assume_ssl option is set' do
req = Rack::Request.new({})
pers_with_persist = @class.new(nil, { assume_ssl: true })
pers_with_persist.send(:security_matches?, req, { secure: true }).must_equal true
end

it '#security_matches? returns false if secure cookie is on, but not ssl or assume_ssl' do
@pers.send(:security_matches?, Rack::Request.new({}), { secure: true }).must_equal false
end

end
end

0 comments on commit abb6b62

Please sign in to comment.