Ruby on Rails | Screencasts | Download | Documentation | Weblog | Community | Source

Ticket #8895: http_only_cookies.patch

File http_only_cookies.patch, 3.7 kB (added by Spakman, 1 year ago)

Patch to give ability to set HttpOnly cookies

  • test/controller/cookie_test.rb

    old new  
    3636      render_text "hello world" 
    3737    end 
    3838 
     39    def authenticate_with_http_only 
     40      cookies["user_name"] = { :value => "david", :http_only => true } 
     41    end 
     42 
    3943    def rescue_action(e)  
    4044      raise unless ActionController::MissingTemplate # No templates here, and we don't care about the output  
    4145    end 
     
    6973    assert_equal [ CGI::Cookie::new("name" => "user_name", "value" => "david", "expires" => Time.local(2005, 10, 10)) ], @response.headers["cookie"] 
    7074  end 
    7175 
     76  def test_setting_cookie_with_http_only 
     77    get :authenticate_with_http_only 
     78    assert_equal [ CGI::Cookie::new("name" => "user_name", "value" => "david", "http_only" => true) ], @response.headers["cookie"] 
     79    assert_equal CGI::Cookie::new("name" => "user_name", "value" => "david", "path" => "/", "http_only" => true).to_s, @response.headers["cookie"].to_s 
     80  end 
     81 
    7282  def test_multiple_cookies 
    7383    get :set_multiple_cookies 
    7484    assert_equal 2, @response.cookies.size 

  • lib/action_controller/cgi_ext/cookie.rb

    old new  
    1919    # secure:: whether this cookie is a secure cookie or not (default to 
    2020    #          false).  Secure cookies are only transmitted to HTTPS 
    2121    #          servers. 
     22    # http_only:: whether the session should only be accessible via HTTP, not scripting - see http://msdn2.microsoft.com/en-us/library/system.web.httpcookie.httponly.aspx 
    2223    # 
    2324    # These keywords correspond to attributes of the cookie object. 
    2425    def initialize(name = '', *value) 
     
    2829        @domain = nil 
    2930        @expires = nil 
    3031        @secure = false 
     32        @http_only = false 
    3133        @path = nil 
    3234      else 
    3335        @name = name['name'] 
     
    3537        @domain = name['domain'] 
    3638        @expires = name['expires'] 
    3739        @secure = name['secure'] || false 
     40        @http_only = name['http_only'] || false 
    3841        @path = name['path'] 
    3942      end 
    4043 
     
    5659    end 
    5760 
    5861    attr_accessor("name", "value", "path", "domain", "expires") 
    59     attr_reader("secure"
     62    attr_reader("secure", "http_only"
    6063 
    6164    # Set whether the Cookie is a secure cookie or not. 
    6265    # 
     
    6669      @secure 
    6770    end 
    6871 
     72    # Set whether the Cookie is a HTTP only or not. 
     73    # 
     74    # +val+ must be a boolean. 
     75    def http_only=(val) 
     76      @http_only = val if val == true or val == false 
     77      @http_only 
     78    end 
     79 
    6980    # Convert the Cookie to its string representation. 
    7081    def to_s 
    7182      buf = "" 
     
    93104        buf << '; secure' 
    94105      end 
    95106 
     107      if @http_only == true 
     108        buf << '; HttpOnly' 
     109      end 
     110 
    96111      buf 
    97112    end 
    98113 

  • lib/action_controller/cookies.rb

    old new  
    2222  # * <tt>path</tt> - the path for which this cookie applies.  Defaults to the root of the application. 
    2323  # * <tt>domain</tt> - the domain for which this cookie applies. 
    2424  # * <tt>expires</tt> - the time at which this cookie expires, as a +Time+ object. 
     25  # * <tt>http_only</tt> - whether this cookie is accessible via scripting or only HTTP (defaults to false). 
    2526  # * <tt>secure</tt> - whether this cookie is a secure cookie or not (default to false). 
    2627  #   Secure cookies are only transmitted to HTTPS servers. 
    2728  module Cookies