Created
October 1, 2008 14:19
-
-
Save tomtaylor/14086 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# For what I have done, please forgive me. | |
# This monkey patch adds in the HttpOnly support for the session cookie | |
# This is present and accepted into Rails 2.2 at the time of writing, but not in Rails 2.1. | |
# You can remove this and set HttpOnly properly when moving to Rails 2.2 | |
module ActionController | |
class RackRequest | |
DEFAULT_SESSION_OPTIONS = { | |
:database_manager => CGI::Session::CookieStore, # store data in cookie | |
:prefix => "ruby_sess.", # prefix session file names | |
:session_path => "/", # available to all paths in app | |
:session_key => "_session_id", | |
:cookie_only => true, | |
:session_http_only=> true | |
} | |
end | |
class CgiRequest | |
DEFAULT_SESSION_OPTIONS = { | |
:database_manager => CGI::Session::CookieStore, # store data in cookie | |
:prefix => "ruby_sess.", # prefix session file names | |
:session_path => "/", # available to all paths in app | |
:session_key => "_session_id", | |
:cookie_only => true, | |
:session_http_only=> true | |
} | |
end | |
end | |
class CGI::Session::CookieStore | |
def initialize(session, options = {}) | |
# The session_key option is required. | |
if options['session_key'].blank? | |
raise ArgumentError, 'A session_key is required to write a cookie containing the session data. Use config.action_controller.session = { :session_key => "_myapp_session", :secret => "some secret phrase" } in config/environment.rb' | |
end | |
# The secret option is required. | |
ensure_secret_secure(options['secret']) | |
# Keep the session and its secret on hand so we can read and write cookies. | |
@session, @secret = session, options['secret'] | |
# Message digest defaults to SHA1. | |
@digest = options['digest'] || 'SHA1' | |
# Default cookie options derived from session settings. | |
@cookie_options = { | |
'name' => options['session_key'], | |
'path' => options['session_path'], | |
'domain' => options['session_domain'], | |
'expires' => options['session_expires'], | |
'secure' => options['session_secure'], | |
'http_only' => options['session_http_only'] | |
} | |
# Set no_hidden and no_cookies since the session id is unused and we | |
# set our own data cookie. | |
options['no_hidden'] = true | |
options['no_cookies'] = true | |
end | |
end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment