From 9cd094b8da492b711002dd4b1f2792f315e9bde0 Mon Sep 17 00:00:00 2001
From: "W. Andrew Loe III" <andrew@andrewloe.com>
Date: Mon, 13 Sep 2010 14:29:25 -0700
Subject: Only send secure cookies over SSL.

---
 actionpack/test/dispatch/cookies_test.rb              | 11 +++++++++++
 actionpack/test/dispatch/session/cookie_store_test.rb | 17 +++++++++++++++++
 2 files changed, 28 insertions(+)

(limited to 'actionpack/test/dispatch')

diff --git a/actionpack/test/dispatch/cookies_test.rb b/actionpack/test/dispatch/cookies_test.rb
index cadae5d97f..360fb351df 100644
--- a/actionpack/test/dispatch/cookies_test.rb
+++ b/actionpack/test/dispatch/cookies_test.rb
@@ -47,6 +47,11 @@ class CookiesTest < ActionController::TestCase
       cookies["user_name"] = { :value => "david", :httponly => true }
       head :ok
     end
+    
+    def authenticate_with_secure
+      cookies["user_name"] = { :value => "david", :secure => true }
+      head :ok
+    end
 
     def set_permanent_cookie
       cookies.permanent[:user_name] = "Jamie"
@@ -128,6 +133,12 @@ class CookiesTest < ActionController::TestCase
     assert_cookie_header "user_name=david; path=/; HttpOnly"
     assert_equal({"user_name" => "david"}, @response.cookies)
   end
+  
+  def test_setting_cookie_with_secure
+    get :authenticate_with_secure
+    assert_cookie_header "user_name=david; path=/; secure"
+    assert_equal({"user_name" => "david"}, @response.cookies)
+  end
 
   def test_multiple_cookies
     get :set_multiple_cookies
diff --git a/actionpack/test/dispatch/session/cookie_store_test.rb b/actionpack/test/dispatch/session/cookie_store_test.rb
index 496fa69093..dd580f0692 100644
--- a/actionpack/test/dispatch/session/cookie_store_test.rb
+++ b/actionpack/test/dispatch/session/cookie_store_test.rb
@@ -105,6 +105,23 @@ class CookieStoreTest < ActionController::IntegrationTest
       assert_equal 'foo: nil', response.body
     end
   end
+  
+  def test_does_not_set_secure_cookies_over_http
+    with_test_route_set(:secure => true) do
+      get '/set_session_value'
+      assert_response :success
+      assert_equal nil, headers['Set-Cookie']
+    end
+  end
+  
+  def test_does_set_secure_cookies_over_https
+    with_test_route_set(:secure => true) do
+      get '/set_session_value', nil, 'HTTPS' => 'on'
+      assert_response :success
+      assert_equal "_myapp_session=#{response.body}; path=/; secure; HttpOnly",
+        headers['Set-Cookie']
+    end
+  end
 
   # {:foo=>#<SessionAutoloadTest::Foo bar:"baz">, :session_id=>"ce8b0752a6ab7c7af3cdb8a80e6b9e46"}
   SignedSerializedCookie = "BAh7BzoIZm9vbzodU2Vzc2lvbkF1dG9sb2FkVGVzdDo6Rm9vBjoJQGJhciIIYmF6Og9zZXNzaW9uX2lkIiVjZThiMDc1MmE2YWI3YzdhZjNjZGI4YTgwZTZiOWU0Ng==--2bf3af1ae8bd4e52b9ac2099258ace0c380e601c"
-- 
cgit v1.2.3