Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # For what I have done, please forgive me.
- # This monkey patch adds in the HttpOnly support for the session cookie
- # This is present and accepted into Rails 2.2 at the time of writing, but not in Rails 2.1.
- # You can remove this and set HttpOnly properly when moving to Rails 2.2
- module ActionController
- class RackRequest
- DEFAULT_SESSION_OPTIONS = {
- :database_manager => CGI::Session::CookieStore, # store data in cookie
- :prefix => "ruby_sess.", # prefix session file names
- :session_path => "/", # available to all paths in app
- :session_key => "_session_id",
- :cookie_only => true,
- :session_http_only=> true
- }
- end
- class CgiRequest
- DEFAULT_SESSION_OPTIONS = {
- :database_manager => CGI::Session::CookieStore, # store data in cookie
- :prefix => "ruby_sess.", # prefix session file names
- :session_path => "/", # available to all paths in app
- :session_key => "_session_id",
- :cookie_only => true,
- :session_http_only=> true
- }
- end
- end
- class CGI::Session::CookieStore
- def initialize(session, options = {})
- # The session_key option is required.
- if options['session_key'].blank?
- raise ArgumentError, 'A session_key is required to write a cookie containing the session data. Use config.action_controller.session = { :session_key => "_myapp_session", :secret => "some secret phrase" } in config/environment.rb'
- end
- # The secret option is required.
- ensure_secret_secure(options['secret'])
- # Keep the session and its secret on hand so we can read and write cookies.
- @session, @secret = session, options['secret']
- # Message digest defaults to SHA1.
- @digest = options['digest'] || 'SHA1'
- # Default cookie options derived from session settings.
- @cookie_options = {
- 'name' => options['session_key'],
- 'path' => options['session_path'],
- 'domain' => options['session_domain'],
- 'expires' => options['session_expires'],
- 'secure' => options['session_secure'],
- 'http_only' => options['session_http_only']
- }
- # Set no_hidden and no_cookies since the session id is unused and we
- # set our own data cookie.
- options['no_hidden'] = true
- options['no_cookies'] = true
- end
- end
Add Comment
Please, Sign In to add comment