From 9cd094b8da492b711002dd4b1f2792f315e9bde0 Mon Sep 17 00:00:00 2001
From: "W. Andrew Loe III" <andrew@andrewloe.com>
Date: Mon, 13 Sep 2010 14:29:25 -0700
Subject: Only send secure cookies over SSL.

---
 actionpack/lib/action_dispatch/middleware/session/abstract_store.rb | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'actionpack/lib/action_dispatch/middleware/session/abstract_store.rb')

diff --git a/actionpack/lib/action_dispatch/middleware/session/abstract_store.rb b/actionpack/lib/action_dispatch/middleware/session/abstract_store.rb
index dd82294644..348a2d1eb2 100644
--- a/actionpack/lib/action_dispatch/middleware/session/abstract_store.rb
+++ b/actionpack/lib/action_dispatch/middleware/session/abstract_store.rb
@@ -152,6 +152,10 @@ module ActionDispatch
         options = env[ENV_SESSION_OPTIONS_KEY]
 
         if !session_data.is_a?(AbstractStore::SessionHash) || session_data.loaded? || options[:expire_after]
+          request = ActionDispatch::Request.new(env)
+
+          return response if (options[:secure] && !request.ssl?)
+
           session_data.send(:load!) if session_data.is_a?(AbstractStore::SessionHash) && !session_data.loaded?
 
           sid = options[:id] || generate_sid
@@ -165,7 +169,6 @@ module ActionDispatch
             cookie[:expires] = Time.now + options.delete(:expire_after)
           end
 
-          request = ActionDispatch::Request.new(env)
           set_cookie(request, cookie.merge!(options))
         end
 
-- 
cgit v1.2.3