Merge pull request #900 from dmcinnes/disable-cookie-secret-warnings

Allow users to disable the secure cookie warning for custom coders

2 files changed, 21 insertions, 1 deletions

diff --git a/lib/rack/session/cookie.rb b/lib/rack/session/cookie.rb
index 66bb7856..b88e305e 100644
--- a/lib/rack/session/cookie.rb
+++ b/lib/rack/session/cookie.rb
@@ -105,7 +105,7 @@ module Rack
 
       def initialize(app, options={})
         @secrets = options.values_at(:secret, :old_secret).compact
-        warn <<-MSG unless @secrets.size >= 1
+        warn <<-MSG unless secure?(options)
         SECURITY WARNING: No secret option provided to Rack::Session::Cookie.
         This poses a security threat. It is strongly recommended that you
         provide a secret to prevent exploits that may be possible from crafted
@@ -183,6 +183,11 @@ module Rack
         OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, secret, data)
       end
 
+      def secure?(options)
+        @secrets.size >= 1 ||
+        (options[:coder] && options[:let_coder_handle_secure_encoding])
+      end
+
     end
   end
 end
diff --git a/test/spec_session_cookie.rb b/test/spec_session_cookie.rb
index 5c3f5bd5..2b382b50 100644
--- a/test/spec_session_cookie.rb
+++ b/test/spec_session_cookie.rb
@@ -152,6 +152,21 @@ describe Rack::Session::Cookie do
     @warnings.must_be :empty?
   end
 
+  it "doesn't warn if coder is configured to handle encoding" do
+    Rack::Session::Cookie.new(
+      incrementor,
+      :coder => Object.new,
+      :let_coder_handle_secure_encoding => true)
+    @warnings.must_be :empty?
+  end
+
+  it "still warns if coder is not set" do
+    Rack::Session::Cookie.new(
+      incrementor,
+      :let_coder_handle_secure_encoding => true)
+    @warnings.first.must_match(/no secret/i)
+  end
+
   it 'uses a coder' do
     identity = Class.new {
       attr_reader :calls