Merge pull request #812 from murphysean/securesession

Session cookie secure attribute

Author: joshtriplett

src/sessions/middleware.rs

@@ -55,6 +55,7 @@ pub struct SessionMiddleware<Store> {
     cookie_domain: Option<String>,
     session_ttl: Option<Duration>,
     save_unchanged: bool,
+    secure: Option<bool>,
     same_site_policy: SameSite,
     key: Key,
 }
@@ -67,6 +68,7 @@ impl<Store: SessionStore> std::fmt::Debug for SessionMiddleware<Store> {
             .field("cookie_name", &self.cookie_name)
             .field("cookie_domain", &self.cookie_domain)
             .field("session_ttl", &self.session_ttl)
+            .field("secure", &self.secure)
             .field("same_site_policy", &self.same_site_policy)
             .field("key", &"..")
             .field("save_unchanged", &self.save_unchanged)
@@ -92,7 +94,10 @@ where
             session.expire_in(ttl);
         }
 
-        let secure_cookie = request.url().scheme() == "https";
+        let mut secure_cookie = request.url().scheme() == "https";
+        if let Some(secure) = self.secure {
+            secure_cookie = secure;
+        }
         request.set_ext(session.clone());
 
         let mut response = next.run(request).await;
@@ -141,6 +146,7 @@ impl<Store: SessionStore> SessionMiddleware<Store> {
     /// * cookie path: "/"
     /// * cookie name: "tide.sid"
     /// * session ttl: one day
+    /// * secure: request.scheme == 'https'
     /// * same site: strict
     /// * save unchanged: enabled
     ///
@@ -161,6 +167,7 @@ impl<Store: SessionStore> SessionMiddleware<Store> {
     ///         .with_cookie_name("custom.cookie.name")
     ///         .with_cookie_path("/some/path")
     ///         .with_cookie_domain("www.rust-lang.org")
+    ///         .with_secure(true)
     ///         .with_same_site_policy(SameSite::Lax)
     ///         .with_session_ttl(Some(Duration::from_secs(1)))
     ///         .without_save_unchanged(),
@@ -173,6 +180,7 @@ impl<Store: SessionStore> SessionMiddleware<Store> {
             cookie_path: "/".into(),
             cookie_name: "tide.sid".into(),
             cookie_domain: None,
+            secure: None,
             same_site_policy: SameSite::Lax,
             session_ttl: Some(Duration::from_secs(24 * 60 * 60)),
             key: Key::derive_from(secret),
@@ -218,6 +226,14 @@ impl<Store: SessionStore> SessionMiddleware<Store> {
         self
     }
 
+    /// Sets the secure attribute of the cookie.
+    /// Defaults to true if the incoming request scheme is 'https'
+    /// Can optionally be set to true or false to override
+    pub fn with_secure(mut self, secure: bool) -> Self {
+        self.secure = Some(secure);
+        self
+    }
+
     /// Sets the same site policy for the session cookie. Defaults to
     /// SameSite::Lax. See [incrementally better
     /// cookies](https://tools.ietf.org/html/draft-west-cookie-incrementalism-01)

tests/sessions.rs

@@ -64,7 +64,8 @@ async fn test_customized_sessions() -> tide::Result<()> {
             .with_cookie_name("custom.cookie.name")
             .with_cookie_path("/nested")
             .with_cookie_domain("www.rust-lang.org")
-            .with_same_site_policy(SameSite::Strict)
+            .with_secure(true)
+            .with_same_site_policy(SameSite::Lax)
             .with_session_ttl(Some(Duration::from_secs(1)))
             .without_save_unchanged(),
     );
@@ -99,7 +100,8 @@ async fn test_customized_sessions() -> tide::Result<()> {
     assert!(cookies.get("tide.sid").is_none());
     let cookie = &cookies["custom.cookie.name"];
     assert_eq!(cookie.http_only(), Some(true));
-    assert_eq!(cookie.same_site(), Some(SameSite::Strict));
+    assert_eq!(cookie.secure(), Some(true));
+    assert_eq!(cookie.same_site(), Some(SameSite::Lax));
     assert_eq!(cookie.path(), Some("/nested"));
     assert_eq!(cookie.domain(), Some("www.rust-lang.org"));
     let cookie_value = cookie.value().to_string();