allow secure session cookies through proxy or to localhost

rack · Mar 1, 2024 · b10ff4d · b10ff4d
1 parent c84d5de
commit b10ff4d
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/lib/rack/session/abstract/id.rb b/lib/rack/session/abstract/id.rb
@@ -368,7 +368,9 @@ def force_options?(options)
 
         def security_matches?(request, options)
           return true unless options[:secure]
-          request.ssl?
+          # OK to send a secure token over ssl, or to local host
+          # or if the instance is running behind a proxy that handles ssl
+          request.ssl? || request.host == 'localhost' || options[:trust_proxy]
         end
 
         # Acquires the session from the environment and the session id from