diff options
-rw-r--r-- | config/initializers/auto_secure_cookies.rb | 17 | ||||
-rw-r--r-- | config/initializers/session_store.rb | 2 |
2 files changed, 18 insertions, 1 deletions
diff --git a/config/initializers/auto_secure_cookies.rb b/config/initializers/auto_secure_cookies.rb new file mode 100644 index 0000000..004795f --- /dev/null +++ b/config/initializers/auto_secure_cookies.rb @@ -0,0 +1,17 @@ +# rails only allows to globally flag session cookies as either secure or not +# this patch sets the secure flag for cookies based on the protocol (@secure) +# this is used to send cookies via http but flag them secure for https +# which allows use with HTTP over Tor for an onion domain +# this is acceptable because nginx redirects clearnet http to https + +module ActionDispatch + class Cookies + class CookieJar + private + def write_cookie?(cookie) + cookie[:secure] = @secure + true + end + end + end +end
\ No newline at end of file diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb index d2c5fb0..b9c9633 100644 --- a/config/initializers/session_store.rb +++ b/config/initializers/session_store.rb @@ -6,4 +6,4 @@ Redstoner::Application.config.session_store :active_record_store, key: 'redstoner_session', expire_after: 5.days, - secure: Rails.env.production?
\ No newline at end of file + secure: nil # see config/initializers/auto_secure_cookies.rb
\ No newline at end of file |