add CookieJar patch to flag cookies as secure based on the connection protocol

rails only allows to globally flag session cookies as either secure or not
this patch sets the secure flag for cookies based on the protocol (http/https)
this is used to send cookies via http but flag them secure for https
which allows use with HTTP over Tor for an onion domain
this is acceptable because nginx redirects clearnet http to https

2 files changed, 18 insertions, 1 deletions

diff --git a/config/initializers/auto_secure_cookies.rb b/config/initializers/auto_secure_cookies.rb
new file mode 100644
index 0000000..004795f
--- /dev/null
+++ b/config/initializers/auto_secure_cookies.rb
@@ -0,0 +1,17 @@
+# rails only allows to globally flag session cookies as either secure or not
+# this patch sets the secure flag for cookies based on the protocol (@secure)
+# this is used to send cookies via http but flag them secure for https
+# which allows use with HTTP over Tor for an onion domain
+# this is acceptable because nginx redirects clearnet http to https
+
+module ActionDispatch
+  class Cookies
+    class CookieJar
+      private
+      def write_cookie?(cookie)
+        cookie[:secure] = @secure
+        true
+      end
+    end
+  end
+end
\ No newline at end of file
diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb
index d2c5fb0..b9c9633 100644
--- a/config/initializers/session_store.rb
+++ b/config/initializers/session_store.rb
@@ -6,4 +6,4 @@
 Redstoner::Application.config.session_store :active_record_store,
   key: 'redstoner_session',
   expire_after: 5.days,
-  secure: Rails.env.production?
\ No newline at end of file
+  secure: nil # see config/initializers/auto_secure_cookies.rb
\ No newline at end of file