Merge pull request #25730 from prathamesh-sonpatki/rm-cookie-only

No need to set `cookie_only` option from Rails

2 files changed, 7 insertions, 1 deletions

diff --git a/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb b/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb
index dec9c60ef2..380a24a367 100644
--- a/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb
+++ b/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb
@@ -64,7 +64,7 @@ module ActionDispatch
     # <tt>:httponly</tt>.
     class CookieStore < AbstractStore
       def initialize(app, options={})
-        super(app, options.merge!(:cookie_only => true))
+        super(app, options.merge!(cookie_only: true))
       end
 
       def delete_session(req, session_id, options)
diff --git a/railties/test/application/middleware/session_test.rb b/railties/test/application/middleware/session_test.rb
index 85e7761727..6ea7cad201 100644
--- a/railties/test/application/middleware/session_test.rb
+++ b/railties/test/application/middleware/session_test.rb
@@ -373,5 +373,11 @@ module ApplicationTests
 
       refute Rails.application.middleware.include?(ActionDispatch::Flash)
     end
+
+    test "cookie_only is set to true even if user tries to overwrite it" do
+      add_to_config "config.session_store :cookie_store, key: '_myapp_session', cookie_only: false"
+      require "#{app_path}/config/environment"
+      assert app.config.session_options[:cookie_only], "Expected cookie_only to be set to true"
+    end
   end
 end