Don't write out secure cookies unless the request is secure

1 files changed, 23 insertions, 0 deletions

diff --git a/actionpack/test/dispatch/cookies_test.rb b/actionpack/test/dispatch/cookies_test.rb
index efdc1f5d93..faeae91f6b 100644
--- a/actionpack/test/dispatch/cookies_test.rb
+++ b/actionpack/test/dispatch/cookies_test.rb
@@ -135,11 +135,25 @@ class CookiesTest < ActionController::TestCase
   end
 
   def test_setting_cookie_with_secure
+    @request.env["HTTPS"] = "on"
     get :authenticate_with_secure
     assert_cookie_header "user_name=david; path=/; secure"
     assert_equal({"user_name" => "david"}, @response.cookies)
   end
 
+  def test_setting_cookie_with_secure_in_development
+    Rails.env.stubs(:development?).returns(true)
+    get :authenticate_with_secure
+    assert_cookie_header "user_name=david; path=/; secure"
+    assert_equal({"user_name" => "david"}, @response.cookies)
+  end
+
+  def test_not_setting_cookie_with_secure
+    get :authenticate_with_secure
+    assert_not_cookie_header "user_name=david; path=/; secure"
+    assert_not_equal({"user_name" => "david"}, @response.cookies)
+  end
+
   def test_multiple_cookies
     get :set_multiple_cookies
     assert_equal 2, @response.cookies.size
@@ -286,4 +300,13 @@ class CookiesTest < ActionController::TestCase
         assert_equal expected.split("\n"), header
       end
     end
+
+    def assert_not_cookie_header(expected)
+      header = @response.headers["Set-Cookie"]
+      if header.respond_to?(:to_str)
+        assert_not_equal expected.split("\n").sort, header.split("\n").sort
+      else
+        assert_not_equal expected.split("\n"), header
+      end
+    end
 end