Unfloyded/Legamunt
0
0
Fork 0
Code Activity

Onion service related changes to HTTPS handling (#15560)

Browse source 
* Enable secure cookie flag for https only

* Disable force_ssl for .onion hosts only

Co-authored-by: Aiden McClelland <me@drbonez.dev>
This commit is contained in:
Cecylia Bocovich 2021-02-10 22:40:13 -05:00 committed by GitHub
parent d499bb031f
commit e79f8dd85c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 27 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

6
config/initializers/devise.rb
View file

@ -9,7 +9,6 @@ Warden::Manager.after_set_user except: :fetch do |user, warden|
value: session_id,
expires: 1.year.from_now,
httponly: true,
secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'),
same_site: :lax,
}
end
@ -20,7 +19,6 @@ Warden::Manager.after_fetch do |user, warden|
value: warden.cookies.signed['_session_id'] || warden.raw_session['auth_id'],
expires: 1.year.from_now,
httponly: true,
secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'),
same_site: :lax,
}
else
@ -229,10 +227,6 @@ Devise.setup do |config|
# If true, extends the user's remember period when remembered via cookie.
# config.extend_remember_period = false
# Options to be passed to the created cookie. For instance, you can set
# secure: true in order to force SSL only cookies.
config.rememberable_options = { secure: true }
# ==> Configuration for :validatable
# Range for password length.
config.password_length = 8..72