Module: Roda::RodaPlugins::CookieFlags

Defined in:

lib/roda/plugins/cookie_flags.rb

Overview

The cookie_flags plugin allows users to force specific cookie flags for all cookies set by the application. It can also be used to warn or raise for unexpected cookie flags.

The cookie_flags plugin deals with the following cookie flags:

httponly

Disallows access to the cookie from client-side scripts.

samesite

Restricts to which domains the cookie is sent.

secure

Instructs the browser to only transmit the cookie over HTTPS.

This plugin ships in secure-by-default mode, where it enforces secure, httponly, samesite=strict cookies. You can disable enforcing specific flags using the following options:

:httponly

Set to false to not enforce httponly flag.

:same_site

Set to symbol or string to enforce a different samesite setting, or false to not enforce a specific samesite setting.

:secure

Set to false to not enforce secure flag.

For example, to enforce secure cookies and enforce samesite=lax, but not enforce an httponly flag:

plugin :cookie_flags, httponly: false, same_site: 'lax'

In general, overriding cookie flags using this plugin should be considered a stop-gap solution. Instead of overriding cookie flags, it’s better to fix whatever is setting the cookie flags incorrectly. You can use the :action option to modify the behavior:

# Issue warnings when modifying cookie flags
plugin :cookie_flags, action: :warn_and_modify

# Issue warnings for incorrect cookie flags without modifying cookie flags
plugin :cookie_flags, action: :warn

# Raise errors for incorrect cookie flags
plugin :cookie_flags, action: :raise

The recommended way to use the plugin is to use it only during testing with action: :raise. Then as long as you have fully covering tests, you can be sure the cookies set by your application use the correct flags.

Note that this plugin only affects cookies set by the application, and does not affect cookies set by middleware the application is using.

Defined Under Namespace

Modules: InstanceMethods Classes: Error

Class Method Summary

• .configure(app, opts = OPTS) ⇒ Object

Class Method Details

.configure(app, opts = OPTS) ⇒ Object

# File 'lib/roda/plugins/cookie_flags.rb', line 63

def self.configure(app, opts=OPTS)
  previous = app.opts[:cookie_flags] || DEFAULTS
  opts = app.opts[:cookie_flags] = previous.merge(opts)

  case opts[:same_site]
  when String, Symbol
    opts[:same_site] = opts[:same_site].to_s.downcase.freeze
    opts[:same_site_string] = "; samesite=#{opts[:same_site]}".freeze
    opts[:secure] = true if opts[:same_site] == 'none'
  end

  opts.freeze
end