While I was dealing with cookies the other day, came across the commit https://github.com/rails/rails/commit/2d5a12a50bcd83fcc99865de759b82e661b28698
Currently, the prerequisites of writing cookie are following:
-
request.ssl? # SSL request
-
!cookie[:secure] # No secure flag
-
Rails.env.development? # Development environment
The first two conditions are easily understandable. However the last one is a bit confusing. In development environment, it allows to write cookie, while no in other environments. Upon writing cookies - such general behavior, discrepancy across environments should be smoothed.
If we want to control the behavior of writing cookie, use this configuration directive config.always_write_cookie, however it’s not showing up in any docs.
My plan is to remove Rails.env.development? check and add config.always_write_cookie into docs, so that the behavior can be controlled in certain cases.
Related source files:
-
Write cookie: https://github.com/rails/rails/blob/master/actionpack/lib/action_dispatch/middleware/cookies.rb#L450
-
always_write_cookie: https://github.com/rails/rails/blob/master/actionpack/lib/action_dispatch/railtie.rb#L50
See my commit: https://github.com/hlcfan/rails/commit/8fb37e6b1f2ec5d417fa2963c2962ee21c6a9d51. Please let me know your thoughts, thanks!
