Add encrypted cookie store

5 files changed, 78 insertions, 9 deletions

diff --git a/actionpack/lib/action_dispatch.rb b/actionpack/lib/action_dispatch.rb
index 0ec355246e..ab1755acd5 100644
--- a/actionpack/lib/action_dispatch.rb
+++ b/actionpack/lib/action_dispatch.rb
@@ -81,10 +81,11 @@ module ActionDispatch
   end
 
   module Session
-    autoload :AbstractStore, 'action_dispatch/middleware/session/abstract_store'
-    autoload :CookieStore,   'action_dispatch/middleware/session/cookie_store'
-    autoload :MemCacheStore, 'action_dispatch/middleware/session/mem_cache_store'
-    autoload :CacheStore,    'action_dispatch/middleware/session/cache_store'
+    autoload :AbstractStore,        'action_dispatch/middleware/session/abstract_store'
+    autoload :CookieStore,          'action_dispatch/middleware/session/cookie_store'
+    autoload :EncryptedCookieStore, 'action_dispatch/middleware/session/cookie_store'
+    autoload :MemCacheStore,        'action_dispatch/middleware/session/mem_cache_store'
+    autoload :CacheStore,           'action_dispatch/middleware/session/cache_store'
   end
 
   mattr_accessor :test_app
diff --git a/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb b/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb
index 3f28ea75ef..039846688e 100644
--- a/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb
+++ b/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb
@@ -57,8 +57,7 @@ module ActionDispatch
       def unpacked_cookie_data(env)
         env["action_dispatch.request.unsigned_session_cookie"] ||= begin
           stale_session_check! do
-            request = ActionDispatch::Request.new(env)
-            if data = request.cookie_jar.signed[@key]
+            if data = cookie_jar(env)[@key]
               data.stringify_keys!
             end
             data || {}
@@ -72,8 +71,26 @@ module ActionDispatch
       end
 
       def set_cookie(env, session_id, cookie)
+        cookie_jar(env)[@key] = cookie
+      end
+
+      def get_cookie
+        cookie_jar(env)[@key]
+      end
+
+      def cookie_jar(env)
+        request = ActionDispatch::Request.new(env)
+        request.cookie_jar.signed
+      end
+    end
+
+    class EncryptedCookieStore < CookieStore
+
+      private
+
+      def cookie_jar(env)
         request = ActionDispatch::Request.new(env)
-        request.cookie_jar.signed[@key] = cookie
+        request.cookie_jar.encrypted
       end
     end
   end
diff --git a/railties/lib/rails/generators/rails/app/templates/config/initializers/session_store.rb.tt b/railties/lib/rails/generators/rails/app/templates/config/initializers/session_store.rb.tt
index 4a099a4ce2..df07de9922 100644
--- a/railties/lib/rails/generators/rails/app/templates/config/initializers/session_store.rb.tt
+++ b/railties/lib/rails/generators/rails/app/templates/config/initializers/session_store.rb.tt
@@ -1,3 +1,3 @@
 # Be sure to restart your server when you modify this file.
 
-<%= app_const %>.config.session_store :cookie_store, key: <%= "'_#{app_name}_session'" %>
+<%= app_const %>.config.session_store :encrypted_cookie_store, key: <%= "'_#{app_name}_session'" %>
diff --git a/railties/test/application/middleware/session_test.rb b/railties/test/application/middleware/session_test.rb
index 5ce41caf61..b1a19d590c 100644
--- a/railties/test/application/middleware/session_test.rb
+++ b/railties/test/application/middleware/session_test.rb
@@ -128,5 +128,56 @@ module ApplicationTests
       get '/foo/read_cookie'   # Cookie shouldn't be changed
       assert_equal '"1"', last_response.body
     end
+
+    test "session using encrypted cookie store" do
+      app_file 'config/routes.rb', <<-RUBY
+        AppTemplate::Application.routes.draw do
+          get ':controller(/:action)'
+        end
+      RUBY
+
+      controller :foo, <<-RUBY
+        class FooController < ActionController::Base
+          def write_session
+            session[:foo] = 1
+            render nothing: true
+          end
+
+          def read_session
+            render text: session[:foo]
+          end
+
+          def read_encrypted_cookie
+            render text: cookies.encrypted[:_myapp_session]['foo']
+          end
+
+          def read_raw_cookie
+            render text: cookies[:_myapp_session]
+          end
+        end
+      RUBY
+
+      add_to_config <<-RUBY
+        config.session_store :encrypted_cookie_store, key: '_myapp_session'
+        config.action_dispatch.derive_signed_cookie_key = true
+      RUBY
+
+      require "#{app_path}/config/environment"
+
+      get '/foo/write_session'
+      get '/foo/write_session'
+      get '/foo/read_session'
+      assert_equal '1', last_response.body
+
+      get '/foo/read_encrypted_cookie'
+      assert_equal '1', last_response.body
+
+      secret = app.key_generator.generate_key('encrypted cookie')
+      sign_secret = app.key_generator.generate_key('signed encrypted cookie')
+      encryptor = ActiveSupport::MessageEncryptor.new(secret, sign_secret)
+
+      get '/foo/read_raw_cookie'
+      assert_equal 1, encryptor.decrypt_and_verify(last_response.body)['foo']
+    end
   end
 end
diff --git a/railties/test/generators/app_generator_test.rb b/railties/test/generators/app_generator_test.rb
index 62e1f3531e..5ea31f2e0f 100644
--- a/railties/test/generators/app_generator_test.rb
+++ b/railties/test/generators/app_generator_test.rb
@@ -341,7 +341,7 @@ class AppGeneratorTest < Rails::Generators::TestCase
   def test_new_hash_style
     run_generator [destination_root]
     assert_file "config/initializers/session_store.rb" do |file|
-      assert_match(/config.session_store :cookie_store, key: '_.+_session'/, file)
+      assert_match(/config.session_store :encrypted_cookie_store, key: '_.+_session'/, file)
     end
   end