module Roda::RodaPlugins::CookieFlags
The cookie_flags plugin allows users to force specific cookie flags for all cookies set by the application. It can also be used to warn or raise for unexpected cookie flags.
The cookie_flags plugin deals with the following cookie flags:
- httponly
-
Disallows access to the cookie from client-side scripts.
- samesite
-
Restricts to which domains the cookie is sent.
- secure
-
Instructs the browser to only transmit the cookie over HTTPS.
This plugin ships in secure-by-default mode, where it enforces secure, httponly, samesite=strict cookies. You can disable enforcing specific flags using the following options:
- :httponly
-
Set to false to not enforce httponly flag.
- :same_site
-
Set to symbol or string to enforce a different samesite setting, or false to not enforce a specific samesite setting.
- :secure
-
Set to false to not enforce secure flag.
For example, to enforce secure cookies and enforce samesite=lax, but not enforce an httponly flag:
plugin :cookie_flags, httponly: false, same_site: 'lax'
In general, overriding cookie flags using this plugin should be considered a stop-gap solution. Instead of overriding cookie flags, it’s better to fix whatever is setting the cookie flags incorrectly. You can use the :action option to modify the behavior:
# Issue warnings when modifying cookie flags plugin :cookie_flags, action: :warn_and_modify # Issue warnings for incorrect cookie flags without modifying cookie flags plugin :cookie_flags, action: :warn # Raise errors for incorrect cookie flags plugin :cookie_flags, action: :raise
The recommended way to use the plugin is to use it only during testing with action: :raise
. Then as long as you have fully covering tests, you can be sure the cookies set by your application use the correct flags.
Note that this plugin only affects cookies set by the application, and does not affect cookies set by middleware the application is using.
Constants
- DEFAULTS
-
:nocov:
- MATCH_METH
-
:nocov:
Public Class Methods
Source
# File lib/roda/plugins/cookie_flags.rb, line 63 def self.configure(app, opts=OPTS) previous = app.opts[:cookie_flags] || DEFAULTS opts = app.opts[:cookie_flags] = previous.merge(opts) case opts[:same_site] when String, Symbol opts[:same_site] = opts[:same_site].to_s.downcase.freeze opts[:same_site_string] = "; samesite=#{opts[:same_site]}".freeze opts[:secure] = true if opts[:same_site] == 'none' end opts.freeze end