This project is archived and is in readonly mode.
Secure Cookies should only be transmitted over SSL
Reported by W. Andrew Loe III | September 13th, 2010 @ 10:34 PM
If a cookie is marked 'secure' it should only be sent to the browser over SSL or else it may be intercepted.
This can be confusing (especially in development mode) because it will no-op if the request is not SSL and it can be hard to track down to :secure => true in the session options.
I am setting the flag as 'secure', older versions of Rails have set it to 'Secure' but I cannot find a spec that specifies if the capitalization matters.
Comments and changes to this ticket
-
W. Andrew Loe III September 13th, 2010 @ 10:34 PM
If this is accepted I will backport to 3-0-stable and 2-3-stable.
-
Aaron Patterson September 13th, 2010 @ 11:12 PM
- State changed from “new” to “committed”
- Importance changed from “” to “Low”
I've applied to master. :-)
Send me the backports and I'll apply them as well.
-
W. Andrew Loe III September 14th, 2010 @ 12:28 AM
Turns out the patch is exactly the same for 3-0-stable.
2-3-stable patch is attached. The tests for 2-3-stable are seemingly duplicated but I deemed it necessary since the CookieStore implements it own call() that is subtly different. The MemCacheStore tests exercise the AbstractStore implementation.
-
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile »
<h2 style="font-size: 14px">Tickets have moved to Github</h2>
The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>
Aaron Patterson
Jeremy Kemper
W. Andrew Loe III