FIX: force secure cookies on session if force https is enabled

2016-10-27 15:15:58 +11:00 · 2016-10-27 15:15:58 +11:00 · 9848e26190
parent 004e71a3fe
commit 9848e26190
2 changed files with 19 additions and 1 deletions
--- a/config/initializers/100-session_store.rb
+++ b/config/initializers/100-session_store.rb
@ -1,7 +1,9 @@
 # Be sure to restart your server when you modify this file.
+#
+require_dependency 'discourse_cookie_store'

 Discourse::Application.config.session_store(
-  :cookie_store,
+  :discourse_cookie_store,
  key: '_forum_session',
  path: (Rails.application.config.relative_url_root.nil?) ? '/' : Rails.application.config.relative_url_root
 )
--- a/lib/discourse_cookie_store.rb
+++ b/lib/discourse_cookie_store.rb
@ -0,0 +1,16 @@
+class ActionDispatch::Session::DiscourseCookieStore < ActionDispatch::Session::CookieStore
+  def initialize(app, options={})
+    super(app,options)
+  end
+
+  private
+
+  def set_cookie(request, session_id, cookie)
+    if Hash === cookie
+      if SiteSetting.force_https
+        cookie[:secure] = true
+      end
+    end
+    cookie_jar(request)[@key] = cookie
+  end
+end