safe_cookies 0.1.3 → 0.1.4

checksums.yaml

@@ -0,0 +1,15 @@
+---
+!binary "U0hBMQ==":
+  metadata.gz: !binary |-
+    MTlmZjRlYWYyZDJmZjZmOTZhNDcyNGFhZDMyODE0Nzk3YTRmN2I3ZA==
+  data.tar.gz: !binary |-
+    MGY4OGY1Mjk1OGNiNDViZDA3Yjk2NTdkM2UzMGI0ZWUyMTZkYzQ4MA==
+SHA512:
+  metadata.gz: !binary |-
+    M2FmYjk3YjYxYTA1MWQ0MmIzYzMzMDcwNzE5NGMzYTc2MGM0ZmZiNTBjMmI5
+    MzU5MzEwNjE0OTY4M2Q2ZWEzYjQxZGRiYmVlMTE2YmY5YjZjYTYwM2EyMTcz
+    ZDBhNTRiMTE4N2ExYWIzNjhhMDIyOWQzMmZhOWRjYjkyNjQ5MjQ=
+  data.tar.gz: !binary |-
+    MGVkY2ZhM2UzNmYyMDhlYjBiZGE4Y2Q3MjM3MzU3MTFmZTJmMzg2YTJkYTY4
+    MjBkYWZjYzk1MjRkYzljYWMwNGRkYWE4OTIzMjRhYjc3ZWYxZDY4MjJmZmVm
+    NWQyYTk4ZTZhNjA1YWY0YjFiMmI3NWMxZjI2MTEyYmI3YzM3MjI=

data/README.md

@@ -1,10 +1,10 @@
 # SafeCookies
 
-This Gem brings a Middleware that will make all cookies secure. In detail, it will
+This Gem brings a middleware that will make all cookies secure. In detail, it will:
 
-* set all new cookies 'HttpOnly', unless specified otherwise
-* set all new cookies 'secure', if the request came via HTTPS and not specified otherwise
-* rewrite existing cookies, setting both flags as above
+* set all new application cookies 'HttpOnly', unless specified otherwise
+* set all new application cookies 'secure', if the request came via HTTPS and not specified otherwise
+* rewrite request cookies, setting both flags as above
 
 ## Installation
 
@@ -12,7 +12,7 @@ Add this line to your application's Gemfile:
 
     gem 'safe_cookies'
 
-And then execute:
+Then run:
 
     $ bundle
 
@@ -20,25 +20,70 @@ Or install it yourself as:
 
     $ gem install safe_cookies
 
+
 ## Usage
 
-In config/environment.rb:
+### Step 1
+**Rails 3**: add the following line in config/application.rb:
+
+    class Application < Rails::Application
+      # ...
+      config.middleware.insert_before ActionDispatch::Cookies, SafeCookies::Middleware
+    end
+
+**Rails 2:** add the following lines in config/environment.rb:
 
-    config.middleware.use SafeCookies::Middleware,
-      :remember_token => 1.year,
-      :last_action => 30.days,
-      :non_secure => %w[default_language],
-      :non_http_only => %w[javascript_data]
+    Rails::Initializer.run do |config|
+      # ...
+      require 'safe_cookies'
+      config.middleware.insert_before ActionController::Session::CookieStore, SafeCookies::Middleware
+    end
+
+### Step 2
+Register cookies, either just after the lines you added in step 1 or in in an initializer
+(e.g. config/initializers/safe_cookies.rb):
+
+    SafeCookies.configure do |config|
+      config.register_cookie :remember_token, :expire_after => 1.year
+      config.register_cookie :last_action, :expire_after => 30.days
+      config.register_cookie :default_language, :expire_after => 10.years, :secure => false
+      config.register_cookie :javascript_data, :expire_after => 1.day, :http_only => false
+    end
 
 This will have the `default_language` cookie not made secure, the `javascript_data` cookie
-not made HttpOnly. It will update the `remember_token` with an expiry of one year and the
-`last_action` cookie with an expiry of 30 days, making both of them secure and HttpOnly.
+not made http-only. It will rewrite the `remember_token` with an expiry of one year and the
+`last_action` cookie with an expiry of 30 days, making both of them secure and http-only.
+Available options are: `:expire_after (required), :path, :secure, :http_only`.
+
+### Step 3
+Override `SafeCookies::Middleware#handle_unknown_cookies(cookies)` (see "Dealing with unregistered cookies" below).
+
+
+## Dealing with unregistered cookies
+
+The middleware is not able to secure cookies without knowing their properties (most important: their
+expiry). Unfortunately, the [client won't ever tell us](http://tools.ietf.org/html/rfc6265#section-4.2.2)
+if the cookie was originally sent with flags such as "secure" or which expiry date it currently has.
+Therefore, it is important to register all cookies that users may come with, specifying their properties.
+Unregistered cookies cannot be secured.
+
+If a request brings a cookie that is not registered, the middleware will raise
+`SafeCookies::UnknownCookieError`. Rails 3+ should handle the exception as any other in your application,
+but by default, **you will not be notified from Rails 2 applications** and the user will see a standard
+500 Server Error. Override `SafeCookies::Middleware#handle_unknown_cookies(cookies)` in the config
+initializer for customized exception handling (like, notifying you per email).
+
+You should not ignore an unregistered cookie, but instead register it.
 
-## About Rails and Cookies
 
-Cookie syntax example:
+## Fix cookie paths
 
-    Set-Cookie: cookie1=value; secure,cookie2=value; path=/
+In August 2013 we noticed a bug in SafeCookies < 0.1.4, by which secured cookies would be set for the
+current "directory" (see comments in `cookie_path_fix.rb`) instead of root (which usually is what you want).
+Users would get multiple cookies for that domain, leading to issues like being unable to sign in.
 
-Actually, there should be one cookie per Set-Cookie header, but since Rails headers
-are implemented as Hash, it is not possible to have several Set-Cookie fields.
+The configuration option `config.fix_paths` turns on fixing this error. It requires an option
+`:for_cookies_secured_before => Time.parse('some minutes after you will have deployed')` which reflects the
+point of time from which cookies will be secured with the correct path. The middleware will fix the cookie
+paths by rewriting all cookies that it has already secured, but only if the were secured before the time
+you specified.

data/lib/safe_cookies/configuration.rb

@@ -0,0 +1,69 @@
+module SafeCookies
+  
+  MissingOptionError = Class.new(StandardError)
+
+  class << self
+    attr_accessor :configuration
+
+    def configure
+      self.configuration ||= Configuration.new
+      yield(configuration)
+    end
+
+  end
+
+  class Configuration
+    attr_reader :registered_cookies, :fix_cookie_paths, :correct_cookie_paths_timestamp
+
+    def initialize
+      self.registered_cookies = {}
+      self.insecure_cookies = []
+      self.scriptable_cookies = []
+    end
+    
+    # Register cookies you expect to receive. The middleware will rewrite all
+    # registered cookies it receives, making them both secure and http_only.
+    #
+    # Unfortunately, the client won't ever tell us if the cookie was originally
+    # sent with flags such as "secure" or which expiry date it currently has:
+    # http://tools.ietf.org/html/rfc6265#section-4.2.2
+    #
+    # Therefore, specify an expiry, and more options if needed:
+    #
+    #   :expire_after => 1.year
+    #   :secure => false
+    #   :http_only = false
+    #   :path => '/foo/path'
+    #
+    def register_cookie(name, options)
+      options.has_key?(:expire_after) or raise MissingOptionError.new("Cookie #{name.inspect} was registered without an expiry")
+      raise NotImplementedError if options.has_key?(:domain)
+      
+      registered_cookies[name.to_s] = (options || {}).freeze
+      insecure_cookies << name if options[:secure] == false
+      scriptable_cookies << name if options[:http_only] == false
+    end
+    
+    def fix_paths(options = {})
+      options.has_key?(:for_cookies_secured_before) or raise MissingOptionError.new("Was told to fix paths without the :for_cookies_secured_before timestamp.")
+
+      self.fix_cookie_paths = true
+      self.correct_cookie_paths_timestamp = options[:for_cookies_secured_before]
+    end
+    
+    def insecure_cookie?(name)
+      insecure_cookies.include? name
+    end
+    
+    def scriptable_cookie?(name)
+      scriptable_cookies.include? name
+    end
+    
+    private
+    
+    attr_accessor :insecure_cookies, :scriptable_cookies
+    attr_writer :registered_cookies, :fix_cookie_paths, :correct_cookie_paths_timestamp
+
+  end
+
+end

data/lib/safe_cookies/cookie_path_fix.rb

@@ -0,0 +1,64 @@
+module SafeCookies
+  module CookiePathFix
+    
+    # Previously, the SafeCookies gem would not set a path when rewriting
+    # cookies. Browsers then would assume and store the current "directory",
+    # leading to multiple cookies per domain.
+    #
+    # If cookies had been secured before the configured datetime, the method
+    # `fix_cookie_paths` deletes all cookies coming with the request, and the
+    # SECURED_COOKIE_NAME helper cookie.
+    # The middleware still sees the request cookies and will rewrite them as
+    # if it hadn't seen them before.
+    
+    def fix_cookie_paths
+      registered_cookies_in_request.keys.each do |registered_cookie|
+        delete_cookie_for_current_directory(registered_cookie)
+      end
+      delete_cookie_for_current_directory(SafeCookies::SECURED_COOKIE_NAME)
+      
+      # Delete this cookie here, so the middleware will secure all cookies anew.
+      @request.cookies.delete(SafeCookies::SECURED_COOKIE_NAME)
+    end
+        
+    private
+    
+    def fix_cookie_paths?
+      @configuration.fix_cookie_paths or return false
+      
+      cookies_need_path_fix = (secured_old_cookies_timestamp < @configuration.correct_cookie_paths_timestamp)
+
+      cookies_have_been_rewritten_before and cookies_need_path_fix
+    end
+
+    # Delete cookies by giving them an expiry in the past,
+    # cf. https://tools.ietf.org/html/rfc6265#section-4.1.2.
+    #
+    # Most important, as specified in
+    # https://tools.ietf.org/html/rfc6265#section-4.1.2.4 and in section 5.1.4,
+    # cookies set without a path will be set for the current "directory", that is:
+    #
+    #   > ... the characters of the uri-path from the first character up
+    #   > to, but not including, the right-most %x2F ("/").
+    #
+    # However, Firefox includes the right-most slash when guessing the cookie path,
+    # so we must resort to letting browsers estimate the deletion cookie path again.
+    def delete_cookie_for_current_directory(cookie_name)
+      current_directory_is_not_root = @request.path[%r(^/[^/]+/[^\?]+), 0]
+      
+      if current_directory_is_not_root
+        one_week = (7 * 24 * 60 * 60)
+        set_cookie!(cookie_name, "", :path => nil, :expire_after => -one_week)
+      end
+    end
+    
+    def secured_old_cookies_timestamp
+      Time.rfc2822(@request.cookies[SafeCookies::SECURED_COOKIE_NAME])
+    rescue ArgumentError
+      # If we cannot parse the secured_old_cookies time,
+      # assume it was before we noticed the bug to ensure
+      # broken cookie paths will be fixed.
+      Time.parse "2013-08-25 0:00"
+    end
+  end
+end

data/lib/safe_cookies/util.rb

@@ -0,0 +1,17 @@
+module SafeCookies
+  class Util
+    class << self
+      
+      def slice(hash, *allowed_keys)
+        sliced_hash = hash.select { |key, value|
+          allowed_keys.include? key
+        }
+
+        # Normalize the result of Hash#select
+        # (Ruby 1.8 returns an Array, Ruby 1.9 returns a Hash)
+        Hash[sliced_hash]
+      end
+      
+    end
+  end
+end

data/lib/safe_cookies/version.rb

@@ -1,3 +1,3 @@
 module SafeCookies
-  VERSION = '0.1.3'
+  VERSION = '0.1.4'
 end

data/lib/safe_cookies.rb

@@ -1,49 +1,55 @@
 # -*- encoding: utf-8 -*-
+require "safe_cookies/configuration"
+require "safe_cookies/cookie_path_fix"
+require "safe_cookies/util"
 require "safe_cookies/version"
 require "rack"
 
 module SafeCookies
-  class Middleware
 
+  UnknownCookieError = Class.new(StandardError)
+  
+  CACHE_COOKIE_NAME = '_safe_cookies__known_cookies'
+  SECURED_COOKIE_NAME = 'secured_old_cookies'
+  HELPER_COOKIES_LIFETIME = 10 * 365 * 24 * 60 * 60 # 10 years
 
-    def initialize(app, options = {})
-      # Pass a hash for `cookies_to_update` with name as key and lifetime as value.
-      # Use this to update existing cookies that you expect to receive.
-      #
-      # Unfortunately, the client won't ever tell us if the cookie was originally
-      # sent with flags such as "secure" or which expiry date it currently has:
-      # http://tools.ietf.org/html/rfc6265#section-4.2.2
-      #
-      # The :non_secure option specifies cookies that will not be made secure. Use
-      # this for storing site usage settings like filters etc. that need to be available
-      # when not on HTTPS (this should rarely be the case).
-      #
-      # The :non_http_only option is analog, use it for storing data you want to access
-      # with javascript.
+  class Middleware
+    
+    include CookiePathFix
+    
+    KNOWN_COOKIES_DIVIDER = '|'
 
-      options = options.dup
 
+    def initialize(app)
       @app = app
-      @non_secure = (options.delete(:non_secure) || []).map(&:to_s)
-      @non_http_only = (options.delete(:non_http_only) || []).map(&:to_s)
-      @cookies_to_update = options
+      @configuration = SafeCookies.configuration or raise "Don't know what to do without configuration"
     end
 
     def call(env)
-      @env = env
-      status, headers, body = @app.call(@env)
+      reset_instance_variables
+      
+      @request = Rack::Request.new(env)
+      ensure_no_unknown_cookies!
+
+      status, @headers, body = @app.call(env)
 
-      secure_old_cookies!(headers) if @cookies_to_update.any?
-      secure_new_cookies!(headers)
+      fix_cookie_paths if fix_cookie_paths?
+      rewrite_request_cookies unless cookies_have_been_rewritten_before
+      cache_application_cookies
+      rewrite_application_cookies
 
-      [ status, headers, body ]
+      [ status, @headers, body ]
     end
 
     private
+    
+    def reset_instance_variables
+      @request, @headers = nil
+    end
 
     def secure(cookie)
       # Regexp from https://github.com/tobmatth/rack-ssl-enforcer/
-      if secure?(cookie) and cookie !~ /(^|;\s)secure($|;)/
+      if should_be_secure?(cookie) and cookie !~ /(^|;\s)secure($|;)/
         "#{cookie}; secure"
       else
         cookie
@@ -51,40 +57,46 @@ module SafeCookies
     end
 
     def http_only(cookie)
-      if http_only?(cookie) and cookie !~ /(^|;\s)HttpOnly($|;)/
+      if should_be_http_only?(cookie) and cookie !~ /(^|;\s)HttpOnly($|;)/
         "#{cookie}; HttpOnly"
       else
         cookie
       end
     end
-
-    def secure_old_cookies!(headers)
-      request = Rack::Request.new(@env)
-      return if request.cookies['secured_old_cookies']
-
-      @cookies_to_update.each do |key, expiry|
-        key = key.to_s
-        if request.cookies.has_key?(key)
-          value = request.cookies[key]
-          set_secure_cookie!(headers, key, value, expiry)
+    
+    # This method takes all cookies sent with the request and rewrites them,
+    # making them both secure and http-only (unless specified otherwise in
+    # the configuration).
+    # With the SECURED_COOKIE_NAME cookie we remember the exact time that we
+    # rewrote the cookies.
+    def rewrite_request_cookies
+      if @request.cookies.any?
+        registered_cookies_in_request.each do |registered_cookie, options|
+          value = @request.cookies[registered_cookie]
+
+          set_cookie!(registered_cookie, value, options)
         end
+      
+        formatted_now = Rack::Utils.rfc2822(Time.now.gmtime)
+        set_cookie!(SECURED_COOKIE_NAME, formatted_now, :expire_after => HELPER_COOKIES_LIFETIME)
       end
-      set_secure_cookie!(headers, 'secured_old_cookies', Rack::Utils.rfc2822(Time.now.gmtime))
     end
 
-    def set_secure_cookie!(headers, key, value, expire_after = 365 * 24 * 60 * 60) # one year
-      options = {
-        :path => '/',
-        :value => value,
-        :secure => secure?(key),
-        :httponly => http_only?(key),
-        :expires => Time.now + expire_after # This is what Rails does
-      }
-      Rack::Utils.set_cookie_header!(headers, key, options)
+    def set_cookie!(name, value, options)
+      options = options.dup
+      expire_after = options.delete(:expire_after)
+
+      options[:expires] = Time.now + expire_after if expire_after
+      options[:path] = '/' unless options.has_key?(:path) # allow setting path = nil
+      options[:value] = value
+      options[:secure] = should_be_secure?(name)
+      options[:httponly] = should_be_http_only?(name)
+
+      Rack::Utils.set_cookie_header!(@headers, name, options)
     end
 
-    def secure_new_cookies!(headers)
-      cookies = headers['Set-Cookie']
+    def rewrite_application_cookies
+      cookies = @headers['Set-Cookie']
       if cookies
         # Rails 2.3 / Rack 1.1 offers an array which is actually nice.
         cookies = cookies.split("\n") unless cookies.is_a?(Array)
@@ -103,22 +115,72 @@ module SafeCookies
         # It contains more information than the "HTTP_COOKIE" header from the
         # browser's request contained, so a `Rack::Request` can't parse it for
         # us. A `Rack::Response` doesn't offer a way either.
-        headers['Set-Cookie'] = cookies.join("\n")
+        @headers['Set-Cookie'] = cookies.join("\n")
+      end
+    end
+    
+    def should_be_secure?(cookie)
+      cookie_name = cookie.split('=').first.strip
+      ssl? and not @configuration.insecure_cookie?(cookie_name)
+    end
+    
+    def ssl?
+      if @request.respond_to?(:ssl?)
+        @request.ssl?
+      else
+        # older Rack versions
+        @request.scheme == 'https'
+      end
+    end
+    
+    def should_be_http_only?(cookie)
+      cookie_name = cookie.split('=').first.strip
+      not @configuration.scriptable_cookie?(cookie_name)
+    end
+    
+    def ensure_no_unknown_cookies!
+      request_cookies = @request.cookies.keys.map(&:to_s)
+      unknown_cookies = request_cookies - known_cookies
+      
+      if unknown_cookies.any?
+        handle_unknown_cookies(unknown_cookies)
+      end
+    end
+    
+    def handle_unknown_cookies(cookies)
+      raise SafeCookies::UnknownCookieError.new("Request for '#{@request.url}' had unknown cookies: #{cookies.join(', ')}")
+    end
+    
+    def cache_application_cookies
+      new_application_cookies = @headers['Set-Cookie']
+      
+      if new_application_cookies
+        new_application_cookies = new_application_cookies.join("\n") if new_application_cookies.is_a?(Array)
+        application_cookies = cached_application_cookies + new_application_cookies.scan(/(?=^|\n)[^\n;,=]+/i)
+        application_cookies_string = application_cookies.uniq.join(KNOWN_COOKIES_DIVIDER)
+        
+        set_cookie!(CACHE_COOKIE_NAME, application_cookies_string, :expire_after => HELPER_COOKIES_LIFETIME)
       end
     end
     
-    def secure?(cookie)
-      name = cookie.split('=').first.strip
-      ssl_request? and not @non_secure.include?(name)
+    def cached_application_cookies
+      cache_cookie = @request.cookies[CACHE_COOKIE_NAME] || ""
+      cache_cookie.split(KNOWN_COOKIES_DIVIDER)
+    end
+    
+    def known_cookies
+      known = [CACHE_COOKIE_NAME, SECURED_COOKIE_NAME]
+      known += cached_application_cookies
+      known += @configuration.registered_cookies.keys
     end
     
-    def http_only?(cookie)
-      name = cookie.split('=').first.strip
-      not @non_http_only.include?(name)
+    def cookies_have_been_rewritten_before
+      @request.cookies.has_key? SECURED_COOKIE_NAME
     end
     
-    def ssl_request?
-      @env['HTTPS'] == 'on' || @env['HTTP_X_FORWARDED_PROTO'] == 'https' # this is how Rails does it
+    # returns those of the registered cookies that appear in the request
+    def registered_cookies_in_request
+      Util.slice(@configuration.registered_cookies, *@request.cookies.keys)
     end
 
   end

data/safe_cookies.gemspec

@@ -4,8 +4,8 @@ require File.expand_path('../lib/safe_cookies/version', __FILE__)
 Gem::Specification.new do |gem|
   gem.authors       = ["Dominik Schöler"]
   gem.email         = ["dominik.schoeler@makandra.de"]
-  gem.description   = %q{Make cookies as `secure` and `HttpOnly` as possible.}
-  gem.summary       = %q{Make cookies as `secure` and `HttpOnly` as possible.}
+  gem.description   = %q{Make all cookies `secure` and `HttpOnly`.}
+  gem.summary       = %q{Make all cookies `secure` and `HttpOnly`.}
   gem.homepage      = "http://www.makandra.de"
 
   gem.files         = `git ls-files`.split($\)

data/spec/configuration_spec.rb

@@ -0,0 +1,86 @@
+# encoding: utf-8
+require 'spec_helper'
+
+describe SafeCookies::Middleware do
+  
+  it 'does not allow registered cookies to be altered' do
+    SafeCookies.configure do |config|
+      config.register_cookie('filter', :expire_after => 3600)
+    end
+    
+    filter_options = SafeCookies.configuration.registered_cookies['filter']
+    expect { filter_options[:foo] = 'bar' }.to raise_error(Exception, /can't modify frozen hash/i)
+  end
+  
+  describe '.configure' do
+
+    it 'currently does not support the :domain cookie option' do
+      registration_with_domain = lambda do
+        SafeCookies.configure do |config|
+          config.register_cookie('filter', :domain => 'example.com', :expire_after => 3600)
+        end
+      end
+      
+      expect(&registration_with_domain).to raise_error(NotImplementedError)
+    end
+    
+    describe 'register_cookie' do
+      
+      context 'cookie name formatting' do
+
+        let(:set_cookie) do
+          # These tests for the Configuration module require an integration with
+          # the middleware itself. Therefore, we need to actually use it.
+          
+          app = stub('app')
+          env = { 'HTTPS' => 'on' }
+          stub_app_call(app, :application_cookies => 'cookie_name=value')
+
+          middleware = described_class.new(app)
+          code, headers, response = middleware.call(env)
+          headers['Set-Cookie']
+        end
+                
+        it 'understands cookies registered as symbol' do
+          SafeCookies.configure do |config|
+            config.register_cookie(:cookie_name, :expire_after => nil)
+          end
+          
+          set_cookie.should =~ /cookie_name=value;.* secure; HttpOnly/
+        end
+        
+        it 'understands cookies registered as string' do
+          SafeCookies.configure do |config|
+            config.register_cookie('cookie_name', :expire_after => nil)
+          end
+          
+          set_cookie.should =~ /cookie_name=value;.* secure; HttpOnly/
+        end
+        
+      end
+      
+      it 'raises an error if a cookie is registered without passing its expiry' do
+        registration_without_expiry = lambda do
+          SafeCookies.configure do |config|
+            config.register_cookie(:filter, :some => :option)
+          end
+        end
+        
+        expect(&registration_without_expiry).to raise_error(SafeCookies::MissingOptionError)
+      end
+      
+      it 'allows nil as expiry (means session cookie)' do
+        registration_with_nil_expiry = lambda do
+          SafeCookies.configure do |config|
+            config.register_cookie(:filter, :expire_after => nil)
+          end
+        end
+        
+        expect(&registration_with_nil_expiry).to_not raise_error(SafeCookies::MissingOptionError)
+      end 
+     
+    end
+    
+  end
+
+end

data/spec/cookie_path_fix_spec.rb

@@ -0,0 +1,157 @@
+require 'spec_helper'
+require 'cgi'
+
+describe SafeCookies::Middleware do
+  
+  describe 'cookie path fix' do
+    
+    subject { described_class.new(app) }
+    let(:app) { stub 'application' }
+    let(:env) { { 'HTTPS' => 'on' } }
+    
+    before do
+      @now = Time.parse('2050-01-01 00:00')
+      Timecop.travel(@now)
+    end
+    
+    def set_default_request_cookies(secured_at = Time.parse('2040-01-01 00:00'))
+      secured_old_cookies_time = Rack::Utils.rfc2822(secured_at.gmtime)
+      set_request_cookies(env, 'cookie_to_update=some_data', "secured_old_cookies=#{CGI::escape(secured_old_cookies_time)}")
+    end
+
+
+    context 'rewriting previously secured cookies' do
+      
+      before do
+        SafeCookies.configure do |config|
+          config.register_cookie('cookie_to_update', :expire_after => 3600)
+          config.fix_paths :for_cookies_secured_before => Time.parse('2050-01-02 00:00')
+        end
+        
+        stub_app_call(app)
+        set_default_request_cookies
+      end
+      
+      it 'updates the timestamp on the root secured_old_cookies cookie' do
+        code, headers, response = subject.call(env)
+
+        updated_secured_old_cookies_timestamp = 'Fri%2C+31+Dec+2049+23%3A00%3A00+-0000'
+        headers['Set-Cookie'].should =~ /secured_old_cookies=#{Regexp.escape updated_secured_old_cookies_timestamp}; path=\/;/
+      end
+      
+      it 'sets the cookie path to "/"' do
+        code, headers, response = subject.call(env)
+        headers['Set-Cookie'].should =~ /cookie_to_update=some_data;.*path=\/;/
+      end
+    
+      it 'deletes cookies for the current "directory"' do
+        env['PATH_INFO'] = '/complex/sub/path'
+  
+        code, headers, response = subject.call(env)
+        set_cookie = headers['Set-Cookie']
+      
+        # overwrite the cookie with an empty value
+        set_cookie.should =~ /cookie_to_update=;/
+        
+        # the deletion cookie must not have a path, so browsers use their own implementation of cookie path
+        # determination, the same they used when the cookie was implicitly set on the wrong path
+        set_cookie.should_not =~ %r(cookie_to_update=;.*path=)
+        
+        # cookies are deleted by giving them an expiry in the past
+        deletion_expiry = set_cookie[/cookie_to_update=;.*expires=([^;]+)/, 1]
+        Time.parse(deletion_expiry).should < @now
+      end
+    
+      it 'does not delete cookies from root ("/") requests, since root cookies are the default we expect' do
+        env['PATH_INFO'] = '/'
+      
+        code, headers, response = subject.call(env)
+        headers['Set-Cookie'].should_not =~ /cookie_to_update=;/
+      end
+    
+      it 'does not delete cookies from first-level paths like "/first_level", since their "directory" is "/"' do
+        env['PATH_INFO'] = '/first_level'
+      
+        code, headers, response = subject.call(env)
+        headers['Set-Cookie'].should_not =~ /cookie_to_update=;/
+      end
+    
+      it 'does not delete cookies from first-level paths like "/first_level/", since their "directory" is "/"' do
+        env['PATH_INFO'] = '/first_level'
+      
+        code, headers, response = subject.call(env)
+        headers['Set-Cookie'].should_not =~ /cookie_to_update=;/
+      end
+    
+      it 'should not be confused by query parameters' do
+        env['PATH_INFO'] = '/some/sub/directory/with?query=params&and=/another/path'
+      
+        code, headers, response = subject.call(env)
+        headers['Set-Cookie'].should =~ %r(cookie_to_update=;)
+      end
+    
+      it 'should not "fix" a path set by the application' do
+        stub_app_call(app, :application_cookies => 'new_cookie=NEW_DATA; path=/special/path')
+        env['PATH_INFO'] = '/special/path/sub/folder'
+
+        code, headers, response = subject.call(env)
+        headers['Set-Cookie'].should =~ %r(new_cookie=NEW_DATA;.*path=/special/path;)
+      end
+    
+      it 'deletes the secured_old_cookies cookie on the current "directory", so future requests to that directory do not trigger a rewrite of all cookies' do
+        env['PATH_INFO'] = '/complex/sub/path'
+      
+        code, headers, response = subject.call(env)
+  
+        # delete the "directory" secured_old_cookies cookie ...
+        headers['Set-Cookie'].should =~ %r(secured_old_cookies=;)
+        # ... but do not delete the root secured_old_cookies cookie
+        headers['Set-Cookie'].should =~ %r(secured_old_cookies=\w+.*path=/;)
+      end
+      
+      it 'rewrites cookies even if it cannot parse the secured_old_cookies timestamp' do
+        set_request_cookies(env, 'cookie_to_update=some_data', 'secured_old_cookies=rubbish')
+  
+        code, headers, response = subject.call(env)
+        headers['Set-Cookie'].should =~ /cookie_to_update=some_data;.*path=\/;/
+      end
+
+    end
+    
+    it 'does not rewrite previously secured cookies if not told so' do
+      SafeCookies.configure do |config|
+        config.register_cookie('cookie_to_update', :expire_after => 3600)
+        # missing config.fix_paths
+      end
+      stub_app_call(app)
+      set_default_request_cookies
+
+      code, headers, response = subject.call(env)
+      headers['Set-Cookie'].should be_nil
+    end
+    
+    it 'raises an error if told to fix cookie paths without specifying a date' do
+      fix_paths_without_timestamp = lambda do
+        SafeCookies.configure do |config|
+          config.fix_paths # missing :for_cookies_secured_before option
+        end
+      end
+
+      expect(&fix_paths_without_timestamp).to raise_error(SafeCookies::MissingOptionError)
+    end
+  
+    it 'does not rewrite cookies that were secured after the correct_cookie_paths_timestamp' do
+      SafeCookies.configure do |config|
+        config.register_cookie('cookie_to_update', :expire_after => 3600)
+        config.fix_paths :for_cookies_secured_before => Time.parse('2050-01-02 00:00')
+      end
+      stub_app_call(app)
+      set_default_request_cookies(Time.parse('2050-01-03 00:00'))
+
+      code, headers, response = subject.call(env)
+      headers['Set-Cookie'].should be_nil
+    end
+    
+  end
+  
+end

data/spec/safe_cookies_spec.rb

@@ -1,136 +1,229 @@
 # -*- encoding: utf-8 -*-
 require 'spec_helper'
 
-# Explanation:
-# app#call(env) is how the middleware calls the app
-#   returns the app's response
-# subject#call(env) is how the middleware is called "from below"
-#   returns the response that is passed through the web server to the client
-
 describe SafeCookies::Middleware do
   
+  subject { described_class.new(app) }
   let(:app) { stub 'application' }
   let(:env) { { 'HTTPS' => 'on' } }
-  subject { described_class.new(app) }
- 
-  it 'should rewrite specified existing cookies as "secure" and "HttpOnly", but only once' do
-    Timecop.freeze do
-      # first request: rewrite cookie
-      subject = described_class.new(app, :foo => 24 * 60 * 60)
-      app.should_receive(:call).and_return([ stub, {}, stub ])
-      env['HTTP_COOKIE'] = 'foo=bar'
+  
+  it 'should rewrite registered request cookies as secure and http-only, but only once' do
+    SafeCookies.configure do |config|
+      config.register_cookie('foo', :expire_after => 3600)
+    end
+
+    # first request: rewrite cookie
+    stub_app_call(app)
+    set_request_cookies(env, 'foo=bar')
+  
+    code, headers, response = subject.call(env)
+    headers['Set-Cookie'].should =~ /foo=bar;.* secure; HttpOnly/
     
-      code, headers, response = subject.call(env)
-      expected_expiry = Rack::Utils.rfc2822((Time.now + 24 * 60 * 60).gmtime) # a special date format needed here
-      headers['Set-Cookie'].should =~ /foo=bar;[^\n]* HttpOnly/
-      headers['Set-Cookie'].should =~ /foo=bar;[^\n]* secure/
-      headers['Set-Cookie'].should =~ /expires=#{expected_expiry}/
-      headers['Set-Cookie'].should =~ /secured_old_cookies=/ # the indication cookie
-      
-      # second request: do not rewrite cookie again
-      subject = described_class.new(app, :foo => 24 * 60 * 60)
-      app.should_receive(:call).and_return([ stub, {}, stub ])
-      received_cookies = headers['Set-Cookie'].scan(/[^\n;]+=[^\n;]+(?=;\s)/i) # extract cookies
-      env['HTTP_COOKIE'] = received_cookies.join(',')
+    # second request: do not rewrite cookie again
+    received_cookies = extract_cookies(headers['Set-Cookie'])
+    received_cookies.should include('foo=bar') # sanity check
+    
+    # client returns with the cookies, `app` and `subject` are different
+    # objects than in the previous request
+    other_app = stub('application')
+    other_subject = described_class.new(other_app)
+    
+    stub_app_call(other_app)
+    set_request_cookies(env, *received_cookies)
 
-      code, headers, response = subject.call(env)
-      headers['Set-Cookie'].to_s.should == ""
-    end
+    code, headers, response = other_subject.call(env)
+    headers['Set-Cookie'].to_s.should == ''
   end
-  
-  it "should make new cookies secure" do
-    app.should_receive(:call).and_return([ stub, { 'Set-Cookie' => 'neuer_cookie=neuer_cookie_wert'}, stub ])
+
+  it 'should not make cookies secure if the request was not secure' do
+    stub_app_call(app, :application_cookies => 'filter-settings=sort_by_date')
+    env['HTTPS'] = 'off'
     
     code, headers, response = subject.call(env)
-    headers['Set-Cookie'].should =~ /neuer_cookie=neuer_cookie_wert;.* secure/
+    headers['Set-Cookie'].should include("filter-settings=sort_by_date")
+    headers['Set-Cookie'].should_not match(/\bsecure\b/i)
   end
-  
-  it "should make new cookies http_only" do
-    app.should_receive(:call).and_return([ stub, { 'Set-Cookie' => 'neuer_cookie=neuer_cookie_wert'}, stub ])
+
+  it 'expires the secured_old_cookies helper cookie in ten years' do
+    Timecop.freeze(Time.parse('2013-09-17 17:53'))
+
+    SafeCookies.configure do |config|
+      config.register_cookie('cookie_to_update', :expire_after => 3600)
+    end
     
+    set_request_cookies(env, 'cookie_to_update=some_data')
+    stub_app_call(app)
+
     code, headers, response = subject.call(env)
-    headers['Set-Cookie'].should =~ /neuer_cookie=neuer_cookie_wert;.* HttpOnly/
+    
+    headers['Set-Cookie'].should =~ /secured_old_cookies.*expires=Fri, 15 Sep 2023 \d\d:\d\d:\d\d/
   end
   
-  it "should not make new cookies secure that are specified as 'non_secure'" do
-    subject = described_class.new(app, :non_secure => %w[filter-settings])
-    app.should_receive(:call).and_return([ stub, { 'Set-Cookie' => 'filter-settings=sort_by_date'}, stub ])
+  it 'sets cookies on the root path' do
+    SafeCookies.configure do |config|
+      config.register_cookie('my_old_cookie', :expire_after => 3600)
+    end
     
+    set_request_cookies(env, 'my_old_cookie=foobar')
+    stub_app_call(app)
+
     code, headers, response = subject.call(env)
-    headers['Set-Cookie'].should include("filter-settings=sort_by_date")
-    headers['Set-Cookie'].should_not match(/secure/i)
+
+    cookies = headers['Set-Cookie'].split("\n")
+    cookies.size.should == 3 # my_old_cookie and secured_old_cookies and _known_cookies
+    cookies.each do |cookie|
+      cookie.should include('; path=/;')
+    end
   end
   
-  it "should not make new cookies http_only that are specified as 'non_http_only'" do
-    subject = described_class.new(app, :non_http_only => %w[javascript-cookie])
-    app.should_receive(:call).and_return([ stub, { 'Set-Cookie' => 'javascript-cookie=xss'}, stub ])
-    
+  it 'should not alter cookie options coming from the application' do
+    stub_app_call(app, :application_cookies => 'cookie=data; path=/; expires=next_week')
+  
     code, headers, response = subject.call(env)
-    headers['Set-Cookie'].should include("javascript-cookie=xss")
-    headers['Set-Cookie'].should_not match(/HttpOnly/i)
+    headers['Set-Cookie'].should =~ %r(cookie=data; path=/; expires=next_week; secure; HttpOnly)
   end
   
-  it "should prefer the application's cookie if both client and app are sending one" do
-    app.should_receive(:call).and_return([ stub, { 'Set-Cookie' => 'cookie=überschrieben'}, stub ])
-    env['HTTP_COOKIE'] = 'cookie=wert'
+  it 'should respect cookie options set in the configuration' do
+    Timecop.freeze
     
+    SafeCookies.configure do |config|
+      config.register_cookie('foo', :expire_after => 3600, :path => '/special/path')
+    end
+
+    stub_app_call(app)
+    set_request_cookies(env, 'foo=bar')
+    env['PATH_INFO'] = '/special/path/subfolder'
+  
     code, headers, response = subject.call(env)
-    headers['Set-Cookie'].should include("cookie=überschrieben")
+    expected_expiry = Rack::Utils.rfc2822((Time.now + 3600).gmtime) # a special date format needed here
+    headers['Set-Cookie'].should =~ %r(foo=bar; path=/special/path; expires=#{expected_expiry}; secure; HttpOnly)
   end
+  
+  context 'cookies set by the application' do
+    
+    it 'should make application cookies secure and http-only' do
+      stub_app_call(app, :application_cookies => 'application_cookie=value')
 
-  it "should not make existing cookies secure that are specified as 'non_secure'" do
-    subject = described_class.new(app, :filter => 24 * 60 * 60, :non_secure => %w[filter])
-    app.should_receive(:call).and_return([ stub, {}, stub ])
-    env['HTTP_COOKIE'] = 'filter=cars_only'
+      code, headers, response = subject.call(env)
+      headers['Set-Cookie'].should =~ /application_cookie=value;.* secure; HttpOnly/
+    end
+  
+    it 'should not make application cookies secure that are specified as non-secure' do
+      SafeCookies.configure do |config|
+        config.register_cookie('filter-settings', :expire_after => 3600, :secure => false)
+      end
     
-    code, headers, response = subject.call(env)
-    set_cookie = headers['Set-Cookie'].gsub(/,(?=\s\d)/, '') # remove commas in expiry dates to simplify matching below
-    set_cookie.should =~ /filter=cars_only;.* HttpOnly/
-    set_cookie.should_not match(/filter=cars_only;.* secure/)
-  end
+      stub_app_call(app, :application_cookies => 'filter-settings=sort_by_date')
+    
+      code, headers, response = subject.call(env)
+      headers['Set-Cookie'].should include("filter-settings=sort_by_date")
+      headers['Set-Cookie'].should_not =~ /filter-settings=.*secure/i
+    end
   
-  it "should not make existing cookies http_only that are specified as 'non_http_only'" do
-    subject = described_class.new(app, :js_data => 24 * 60 * 60, :non_http_only => %w[js_data])
-    app.should_receive(:call).and_return([ stub, {}, stub ])
-    env['HTTP_COOKIE'] = 'js_data=json'
+    it 'should not make application cookies http-only that are specified as non-http-only' do
+      SafeCookies.configure do |config|
+        config.register_cookie('javascript-cookie', :expire_after => 3600, :http_only => false)
+      end
     
-    code, headers, response = subject.call(env)
-    set_cookie = headers['Set-Cookie']
-    set_cookie.should =~ /js_data=json;.* secure/
-    set_cookie.should_not match(/js_data=json;.* HttpOnly/)
-  end
+      stub_app_call(app, :application_cookies => 'javascript-cookie=xss')
+    
+      code, headers, response = subject.call(env)
+      headers['Set-Cookie'].should include("javascript-cookie=xss")
+      headers['Set-Cookie'].should_not =~ /javascript-cookie=.*HttpOnly/i
+    end
   
-  it "should not make cookies secure if the request was not secure" do
-    subject = described_class.new(app)
-    app.should_receive(:call).and_return([ stub, { 'Set-Cookie' => 'filter-settings=sort_by_date'}, stub ])
-    env['HTTPS'] = 'off'
+    it 'should prefer the application cookie over a client cookie' do
+      stub_app_call(app, :application_cookies => 'cookie=from_application')
+      set_request_cookies(env, 'cookie=from_client,_safe_cookies__known_cookies=cookie')
     
-    code, headers, response = subject.call(env)
-    headers['Set-Cookie'].should include("filter-settings=sort_by_date")
-    headers['Set-Cookie'].should_not match(/secure/i)
-  end
-
-  it 'does not mutate an options hash passed to it' do
-    options = { :cookie1 => 3600, :non_secure => [:cookie2], :non_http_only => [:cookie3] }
-    described_class.new(app, options)
+      code, headers, response = subject.call(env)
+      headers['Set-Cookie'].should include("cookie=from_application")
+      headers['Set-Cookie'].should_not include("cookie=from_client")
+    end
 
-    options[:cookie1].should == 3600
-    options[:non_secure].should == [:cookie2]
-    options[:non_http_only].should == [:cookie3]
+  end
+  
+  context 'cookies sent by the client' do
+    
+    it 'should not make request cookies secure that are specified as non-secure' do
+      SafeCookies.configure do |config|
+        config.register_cookie('filter', :expire_after => 3600, :secure => false)
+      end
+    
+      stub_app_call(app)
+      set_request_cookies(env, 'filter=cars_only')
+    
+      code, headers, response = subject.call(env)
+      headers['Set-Cookie'].should =~ /filter=cars_only;.* HttpOnly/
+      headers['Set-Cookie'].should_not =~ /filter=cars_only;.* secure/
+    end
+  
+    it 'should not make request cookies http-only that are specified as non-http-only' do
+      SafeCookies.configure do |config|
+        config.register_cookie('js-data', :expire_after => 3600, :http_only => false)
+      end
+    
+      stub_app_call(app)
+      set_request_cookies(env, 'js-data=json')
+    
+      code, headers, response = subject.call(env)
+      headers['Set-Cookie'].should =~ /js-data=json;.* secure/
+      headers['Set-Cookie'].should_not =~ /js-data=json;.* HttpOnly/
+    end
+  
   end
 
-  it 'sets cookies on the root path (if no "path" is supplied, browsers assume the current)' do
-    subject = described_class.new(app, :my_old_cookie => 3600)
-    env['HTTP_COOKIE'] = 'my_old_cookie=foobar'
-    app.should_receive(:call).and_return([ stub, {}, stub ])
+  context 'unknown request cookies' do
+    
+    it 'should raise an error if there is an unknown cookie' do
+      set_request_cookies(env, 'foo=bar')
+    
+      expect{ subject.call(env) }.to raise_error(SafeCookies::UnknownCookieError)
+    end
+    
+    it 'should not raise an error if the (unregistered) cookie was initially set by the application' do
+      # application sets cookie
+      stub_app_call(app, :application_cookies => 'foo=bar; path=/some/path; secure')
+      
+      code, headers, response = subject.call(env)
 
-    code, headers, response = subject.call(env)
+      received_cookies = extract_cookies(headers['Set-Cookie'])
+      received_cookies.should include('foo=bar') # sanity check
+      
+      # client returns with the cookie, `app` and `subject` are different
+      # objects than in the previous request
+      other_app = stub('application')
+      other_subject = described_class.new(other_app)
+      
+      stub_app_call(other_app)
+      set_request_cookies(env, *received_cookies)
 
-    cookies = headers['Set-Cookie'].split("\n")
-    cookies.size.should > 0
-    cookies.each do |cookie|
-      cookie.should include('; path=/;')
+      other_subject.call(env)
+    end
+    
+    it 'should not raise an error if the cookie is listed in the cookie configuration' do
+      SafeCookies.configure do |config|
+        config.register_cookie('foo', :expire_after => 3600)
+      end
+    
+      stub_app_call(app)
+      set_request_cookies(env, 'foo=bar')
+      
+      subject.call(env)
     end
+  
+    it 'allows overwriting the error mechanism' do
+      stub_app_call(app)
+      set_request_cookies(env, 'foo=bar')
+      
+      def subject.handle_unknown_cookies(*args)
+        @custom_method_called = true
+      end
+      
+      subject.call(env)
+      subject.instance_variable_get('@custom_method_called').should == true
+    end
+    
   end
 
 end

data/spec/spec_helper.rb

@@ -11,4 +11,24 @@ RSpec.configure do |config|
   # the seed, which is printed after each run.
   #     --seed 1234
   config.order = 'random'
+  
+  config.before(:each) { SafeCookies.configure {} }
+  config.after(:each) {
+    SafeCookies.configuration = nil
+    Timecop.return
+  }
+end
+
+def stub_app_call(app, options = {})
+  env = {}
+  env['Set-Cookie'] = options[:application_cookies] if options[:application_cookies]
+  app.stub :call => [ stub, env, stub ]
+end
+
+def set_request_cookies(env, *cookies)
+  env['HTTP_COOKIE'] = cookies.join(',')
+end
+
+def extract_cookies(set_cookies_header)
+  set_cookies_header.scan(/(?=^|\n)[^\n;]+=[^\n;]+(?=;\s)/i)
 end

metadata

@@ -1,119 +1,104 @@
---- !ruby/object:Gem::Specification 
+--- !ruby/object:Gem::Specification
 name: safe_cookies
-version: !ruby/object:Gem::Version 
-  hash: 29
-  prerelease: 
-  segments: 
-  - 0
-  - 1
-  - 3
-  version: 0.1.3
+version: !ruby/object:Gem::Version
+  version: 0.1.4
 platform: ruby
-authors: 
-- "Dominik Sch\xC3\xB6ler"
+authors:
+- Dominik Schöler
 autorequire: 
 bindir: bin
 cert_chain: []
-
-date: 2013-08-27 00:00:00 +02:00
-default_executable: 
-dependencies: 
-- !ruby/object:Gem::Dependency 
+date: 2013-09-25 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
   name: rack
-  prerelease: false
-  requirement: &id001 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
-    - - ">="
-      - !ruby/object:Gem::Version 
-        hash: 3
-        segments: 
-        - 0
-        version: "0"
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
   type: :runtime
-  version_requirements: *id001
-- !ruby/object:Gem::Dependency 
-  name: rspec
   prerelease: false
-  requirement: &id002 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
-    - - ">="
-      - !ruby/object:Gem::Version 
-        hash: 3
-        segments: 
-        - 0
-        version: "0"
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
   type: :development
-  version_requirements: *id002
-- !ruby/object:Gem::Dependency 
-  name: timecop
   prerelease: false
-  requirement: &id003 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
-    - - ">="
-      - !ruby/object:Gem::Version 
-        hash: 3
-        segments: 
-        - 0
-        version: "0"
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: timecop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
   type: :development
-  version_requirements: *id003
-description: Make cookies as `secure` and `HttpOnly` as possible.
-email: 
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Make all cookies `secure` and `HttpOnly`.
+email:
 - dominik.schoeler@makandra.de
 executables: []
-
 extensions: []
-
 extra_rdoc_files: []
-
-files: 
+files:
 - .gitignore
 - Gemfile
 - LICENSE
 - README.md
 - Rakefile
 - lib/safe_cookies.rb
+- lib/safe_cookies/configuration.rb
+- lib/safe_cookies/cookie_path_fix.rb
+- lib/safe_cookies/util.rb
 - lib/safe_cookies/version.rb
 - safe_cookies.gemspec
+- spec/configuration_spec.rb
+- spec/cookie_path_fix_spec.rb
 - spec/safe_cookies_spec.rb
 - spec/spec_helper.rb
-has_rdoc: true
 homepage: http://www.makandra.de
 licenses: []
-
+metadata: {}
 post_install_message: 
 rdoc_options: []
-
-require_paths: 
+require_paths:
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement 
-  none: false
-  requirements: 
-  - - ">="
-    - !ruby/object:Gem::Version 
-      hash: 3
-      segments: 
-      - 0
-      version: "0"
-required_rubygems_version: !ruby/object:Gem::Requirement 
-  none: false
-  requirements: 
-  - - ">="
-    - !ruby/object:Gem::Version 
-      hash: 3
-      segments: 
-      - 0
-      version: "0"
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
 requirements: []
-
 rubyforge_project: 
-rubygems_version: 1.3.9.5
+rubygems_version: 2.1.2
 signing_key: 
-specification_version: 3
-summary: Make cookies as `secure` and `HttpOnly` as possible.
-test_files: 
+specification_version: 4
+summary: Make all cookies `secure` and `HttpOnly`.
+test_files:
+- spec/configuration_spec.rb
+- spec/cookie_path_fix_spec.rb
 - spec/safe_cookies_spec.rb
 - spec/spec_helper.rb