From 2d5a12a50bcd83fcc99865de759b82e661b28698 Mon Sep 17 00:00:00 2001
From: Andrew White <andyw@pixeltrix.co.uk>
Date: Fri, 22 Oct 2010 15:34:45 +0100
Subject: Don't write out secure cookies unless the request is secure

---
 actionpack/lib/action_dispatch/middleware/cookies.rb | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

(limited to 'actionpack/lib/action_dispatch')

diff --git a/actionpack/lib/action_dispatch/middleware/cookies.rb b/actionpack/lib/action_dispatch/middleware/cookies.rb
index 75c8cc3dd0..836416857c 100644
--- a/actionpack/lib/action_dispatch/middleware/cookies.rb
+++ b/actionpack/lib/action_dispatch/middleware/cookies.rb
@@ -98,17 +98,19 @@ module ActionDispatch
       def self.build(request)
         secret = request.env[TOKEN_KEY]
         host = request.host
+        secure = request.ssl?
 
-        new(secret, host).tap do |hash|
+        new(secret, host, secure).tap do |hash|
           hash.update(request.cookies)
         end
       end
 
-      def initialize(secret = nil, host = nil)
+      def initialize(secret = nil, host = nil, secure = false)
         @secret = secret
         @set_cookies = {}
         @delete_cookies = {}
         @host = host
+        @secure = secure
 
         super()
       end
@@ -193,9 +195,15 @@ module ActionDispatch
       end
 
       def write(headers)
-        @set_cookies.each { |k, v| ::Rack::Utils.set_cookie_header!(headers, k, v) }
+        @set_cookies.each { |k, v| ::Rack::Utils.set_cookie_header!(headers, k, v) if write_cookie?(v) }
         @delete_cookies.each { |k, v| ::Rack::Utils.delete_cookie_header!(headers, k, v) }
       end
+
+      private
+
+        def write_cookie?(cookie)
+          @secure || !cookie[:secure] || Rails.env.development?
+        end
     end
 
     class PermanentCookieJar < CookieJar #:nodoc:
-- 
cgit v1.2.3