Merge pull request #22826 from timrogers/actiondispatch-ssl-config

Configurable redirect and secure cookies for ActionDispatch::SSL
author: Rafael França <rafaelmfranca@gmail.com> 2015-12-31 03:25:47 -0200
committer: Rafael França <rafaelmfranca@gmail.com> 2015-12-31 03:25:47 -0200
commit: 1f85e1c9f34c7b0bdc1bddad5f914d61cb2a5435 (patch)
tree: 152bd22d94f0c4976cd182c7215db78472fc7b51 /railties
parent: 3e1afd34d0639a15ff565e0f1a57bca108ef203f (diff)
parent: 32b1c90837570a69841e9ffccff513c74fb7a308 (diff)
download: rails-1f85e1c9f34c7b0bdc1bddad5f914d61cb2a5435.tar.gz
rails-1f85e1c9f34c7b0bdc1bddad5f914d61cb2a5435.tar.bz2
rails-1f85e1c9f34c7b0bdc1bddad5f914d61cb2a5435.zip
2 files changed, 9 insertions, 2 deletions
diff --git a/railties/lib/rails/application/default_middleware_stack.rb b/railties/lib/rails/application/default_middleware_stack.rb
index ed6a1f82d3..4f1cc0703d 100644
--- a/railties/lib/rails/application/default_middleware_stack.rb
+++ b/railties/lib/rails/application/default_middleware_stack.rb
@@ -68,7 +68,7 @@ module Rails
           middleware.use ::ActionDispatch::Cookies unless config.api_only
 
           if !config.api_only && config.session_store
-            if config.force_ssl && !config.session_options.key?(:secure)
+            if config.force_ssl && config.ssl_options.fetch(:secure_cookies, true) && !config.session_options.key?(:secure)
               config.session_options[:secure] = true
             end
             middleware.use config.session_store, config.session_options
diff --git a/railties/test/application/middleware/session_test.rb b/railties/test/application/middleware/session_test.rb
index 25eadfc387..f847e80471 100644
--- a/railties/test/application/middleware/session_test.rb
+++ b/railties/test/application/middleware/session_test.rb
@@ -20,12 +20,19 @@ module ApplicationTests
       @app ||= Rails.application
     end
 
-    test "config.force_ssl sets cookie to secure only" do
+    test "config.force_ssl sets cookie to secure only by default" do
       add_to_config "config.force_ssl = true"
       require "#{app_path}/config/environment"
       assert app.config.session_options[:secure], "Expected session to be marked as secure"
     end
 
+    test "config.force_ssl doesn't set cookie to secure only when changed from default" do
+      add_to_config "config.force_ssl = true"
+      add_to_config "config.ssl_options = { secure_cookies: false }"
+      require "#{app_path}/config/environment"
+      assert !app.config.session_options[:secure]
+    end
+
     test "session is not loaded if it's not used" do
       make_basic_app
author	Rafael França <rafaelmfranca@gmail.com>	2015-12-31 03:25:47 -0200
committer	Rafael França <rafaelmfranca@gmail.com>	2015-12-31 03:25:47 -0200
commit	1f85e1c9f34c7b0bdc1bddad5f914d61cb2a5435 (patch)
tree	152bd22d94f0c4976cd182c7215db78472fc7b51 /railties
parent	3e1afd34d0639a15ff565e0f1a57bca108ef203f (diff)
parent	32b1c90837570a69841e9ffccff513c74fb7a308 (diff)
download	rails-1f85e1c9f34c7b0bdc1bddad5f914d61cb2a5435.tar.gz rails-1f85e1c9f34c7b0bdc1bddad5f914d61cb2a5435.tar.bz2 rails-1f85e1c9f34c7b0bdc1bddad5f914d61cb2a5435.zip