The cookie_flags plugin allows users to force specific cookie flags for all cookies set by the application. It can also be used to warn or raise for unexpected cookie flags.
The cookie_flags plugin deals with the following cookie flags:
| httponly |
Disallows access to the cookie from client-side scripts. |
| samesite |
Restricts to which domains the cookie is sent. |
| secure |
Instructs the browser to only transmit the cookie over HTTPS. |
This plugin ships in secure-by-default mode, where it enforces secure, httponly, samesite=strict cookies. You can disable enforcing specific flags using the following options:
| :httponly |
Set to false to not enforce httponly flag. |
| :same_site |
Set to symbol or string to enforce a different samesite setting, or false to not enforce a specific samesite setting. |
| :secure |
Set to false to not enforce secure flag. |
For example, to enforce secure cookies and enforce samesite=lax, but not enforce an httponly flag:
plugin :cookie_flags, httponly: false, same_site: 'lax'
In general, overriding cookie flags using this plugin should be considered a stop-gap solution. Instead of overriding cookie flags, it’s better to fix whatever is setting the cookie flags incorrectly. You can use the :action option to modify the behavior:
# Issue warnings when modifying cookie flags plugin :cookie_flags, action: :warn_and_modify # Issue warnings for incorrect cookie flags without modifying cookie flags plugin :cookie_flags, action: :warn # Raise errors for incorrect cookie flags plugin :cookie_flags, action: :raise
The recommended way to use the plugin is to use it only during testing with action: :raise. Then as long as you have fully covering tests, you can be sure the cookies set by your application use the correct flags.
Note that this plugin only affects cookies set by the application, and does not affect cookies set by middleware the application is using.
Classes and Modules
Public Class methods
# File lib/roda/plugins/cookie_flags.rb 63 def self.configure(app, opts=OPTS) 64 previous = app.opts[:cookie_flags] || DEFAULTS 65 opts = app.opts[:cookie_flags] = previous.merge(opts) 66 67 case opts[:same_site] 68 when String, Symbol 69 opts[:same_site] = opts[:same_site].to_s.downcase.freeze 70 opts[:same_site_string] = "; samesite=#{opts[:same_site]}".freeze 71 opts[:secure] = true if opts[:same_site] == 'none' 72 end 73 74 opts.freeze 75 end