Don't write out secure cookies unless the request is secure

3 files changed, 39 insertions, 3 deletions

diff --git a/actionpack/lib/action_dispatch/middleware/cookies.rb b/actionpack/lib/action_dispatch/middleware/cookies.rb
index 75c8cc3dd0..836416857c 100644
--- a/actionpack/lib/action_dispatch/middleware/cookies.rb
+++ b/actionpack/lib/action_dispatch/middleware/cookies.rb
@@ -98,17 +98,19 @@ module ActionDispatch
       def self.build(request)
         secret = request.env[TOKEN_KEY]
         host = request.host
+        secure = request.ssl?
 
-        new(secret, host).tap do |hash|
+        new(secret, host, secure).tap do |hash|
           hash.update(request.cookies)
         end
       end
 
-      def initialize(secret = nil, host = nil)
+      def initialize(secret = nil, host = nil, secure = false)
         @secret = secret
         @set_cookies = {}
         @delete_cookies = {}
         @host = host
+        @secure = secure
 
         super()
       end
@@ -193,9 +195,15 @@ module ActionDispatch
       end
 
       def write(headers)
-        @set_cookies.each { |k, v| ::Rack::Utils.set_cookie_header!(headers, k, v) }
+        @set_cookies.each { |k, v| ::Rack::Utils.set_cookie_header!(headers, k, v) if write_cookie?(v) }
         @delete_cookies.each { |k, v| ::Rack::Utils.delete_cookie_header!(headers, k, v) }
       end
+
+      private
+
+        def write_cookie?(cookie)
+          @secure || !cookie[:secure] || Rails.env.development?
+        end
     end
 
     class PermanentCookieJar < CookieJar #:nodoc:
diff --git a/actionpack/test/abstract_unit.rb b/actionpack/test/abstract_unit.rb
index 470b36dbe2..92597e40ff 100644
--- a/actionpack/test/abstract_unit.rb
+++ b/actionpack/test/abstract_unit.rb
@@ -47,6 +47,11 @@ end
 require 'pp' # require 'pp' early to prevent hidden_methods from not picking up the pretty-print methods until too late
 
 module Rails
+  class << self
+    def env
+      @_env ||= ActiveSupport::StringInquirer.new(ENV["RAILS_ENV"] || ENV["RACK_ENV"] || "test")
+    end
+  end
 end
 
 ActiveSupport::Dependencies.hook!
diff --git a/actionpack/test/dispatch/cookies_test.rb b/actionpack/test/dispatch/cookies_test.rb
index efdc1f5d93..faeae91f6b 100644
--- a/actionpack/test/dispatch/cookies_test.rb
+++ b/actionpack/test/dispatch/cookies_test.rb
@@ -135,11 +135,25 @@ class CookiesTest < ActionController::TestCase
   end
 
   def test_setting_cookie_with_secure
+    @request.env["HTTPS"] = "on"
     get :authenticate_with_secure
     assert_cookie_header "user_name=david; path=/; secure"
     assert_equal({"user_name" => "david"}, @response.cookies)
   end
 
+  def test_setting_cookie_with_secure_in_development
+    Rails.env.stubs(:development?).returns(true)
+    get :authenticate_with_secure
+    assert_cookie_header "user_name=david; path=/; secure"
+    assert_equal({"user_name" => "david"}, @response.cookies)
+  end
+
+  def test_not_setting_cookie_with_secure
+    get :authenticate_with_secure
+    assert_not_cookie_header "user_name=david; path=/; secure"
+    assert_not_equal({"user_name" => "david"}, @response.cookies)
+  end
+
   def test_multiple_cookies
     get :set_multiple_cookies
     assert_equal 2, @response.cookies.size
@@ -286,4 +300,13 @@ class CookiesTest < ActionController::TestCase
         assert_equal expected.split("\n"), header
       end
     end
+
+    def assert_not_cookie_header(expected)
+      header = @response.headers["Set-Cookie"]
+      if header.respond_to?(:to_str)
+        assert_not_equal expected.split("\n").sort, header.split("\n").sort
+      else
+        assert_not_equal expected.split("\n"), header
+      end
+    end
 end