nguyenchiencong · August 29, 2015 14:08
diff --git a/application.html.erb b/application.html.erb
 <!DOCTYPE html>
 <html>
  <head>
    <!-- (...) -->
    <%= csrf_meta_tag unless response.cache_control[:public] %>
    <!-- (...) -->
  </head>
  <body>
    <!-- (...) -->
    <% unless response.cache_control[:public] %>
      <% flash.each do |name, msg| %>
        <%= content_tag :div, msg, id: "flash_#{name}" %>
      <% end %>
    <% end %>
    <!-- (...) -->
  </body>
 </html>
diff --git a/application.rb b/application.rb
 require 'strip_empty_sessions'
 config.middleware.insert_before ActionDispatch::Cookies, StripEmptySessions, :key => "your_session_key", :path => "/", :httponly => true
diff --git a/application_controller.rb b/application_controller.rb
 class ApplicationController < ActionController::Base
  include Lacquer::CacheUtils
  
  protect_from_forgery if: signed_in?
  skip_before_filter :verify_authenticity_token, unless: signed_in?
 
  before_filter do |controller| 
    if signed_in? or request.xhr?
      controller.set_cache_ttl(0)
    end
  end
  
 protected
 
  def form_authenticity_token
    if signed_in?
      session[:_csrf_token] ||= SecureRandom.base64(32)
    end
  end
 end
diff --git a/production.rb b/production.rb
 config.middleware.delete 'Rack::Cache'
diff --git a/sessions_controller.rb b/sessions_controller.rb
 class SessionsController < ApplicationController
  def destroy
    request.env["cookie.logout"] = true
  end
 end
diff --git a/strip_empty_sessions.rb b/strip_empty_sessions.rb
 class StripEmptySessions
  ENV_SESSION_KEY = "rack.session".freeze
  HTTP_SET_COOKIE = "Set-Cookie".freeze
  BOGUS_KEYS = [:session_id, :_csrf_token]

  def initialize(app, options = {})
    @app = app
    @options = options
  end

  def call(env)
    status, headers, body = @app.call(env)

    session_data = env[ENV_SESSION_KEY]

    if env["cookie.logout"]
      cookie = build_cookie(@options[:key], {
        :value    => 'x',
        :expires  => -1.year.from_now.utc
      }.merge(@options))

      case headers[HTTP_SET_COOKIE].class.name
      when 'NilClass'
        headers[HTTP_SET_COOKIE] = cookie
      when 'Array'
        headers[HTTP_SET_COOKIE] << cookie
      when 'String'
        headers[HTTP_SET_COOKIE] << "\n#{cookie}"
      end
    elsif (session_data.keys - BOGUS_KEYS).empty?
      case headers[HTTP_SET_COOKIE].class.name
      when 'Array'
        headers[HTTP_SET_COOKIE].reject! {|c| c.match(/^\n?#{@options[:key]}=/)}
      when 'String'
        headers[HTTP_SET_COOKIE].gsub!( /(^|\n)#{@options[:key]}=(.*)?(\n|$)/, "" )
      end
    end

    [status, headers, body]
  end

  private

    # Copied from the cookie session middleware.
    def build_cookie(key, value)
      case value
      when Hash
        domain  = "; domain="  + value[:domain] if value[:domain]
        path    = "; path="    + value[:path]   if value[:path]
        # According to RFC 2109, we need dashes here.
        # N.B.: cgi.rb uses spaces...
        expires = "; expires=" + value[:expires].clone.gmtime.
          strftime("%a, %d-%b-%Y %H:%M:%S GMT") if value[:expires]
        secure = "; secure" if value[:secure]
        httponly = "; HttpOnly" if value[:httponly]
        value = value[:value]
      end
      value = [value] unless Array === value
      Rack::Utils.escape(key) + "=" +
        value.map { |v| Rack::Utils.escape(v) }.join("&") +
        "#{domain}#{path}#{expires}#{secure}#{httponly}"
    end
 end
	<!DOCTYPE html>
	<html>
	<head>
	<!-- (...) -->
	<%= csrf_meta_tag unless response.cache_control[:public] %>
	<!-- (...) -->
	</head>
	<body>
	<!-- (...) -->
	<% unless response.cache_control[:public] %>
	<% flash.each do \|name, msg\| %>
	<%= content_tag :div, msg, id: "flash_#{name}" %>
	<% end %>
	<% end %>
	<!-- (...) -->
	</body>
	</html>
	require 'strip_empty_sessions'
	config.middleware.insert_before ActionDispatch::Cookies, StripEmptySessions, :key => "your_session_key", :path => "/", :httponly => true
	class ApplicationController < ActionController::Base
	include Lacquer::CacheUtils

	protect_from_forgery if: signed_in?
	skip_before_filter :verify_authenticity_token, unless: signed_in?

	before_filter do \|controller\|
	if signed_in? or request.xhr?
	controller.set_cache_ttl(0)
	end
	end

	protected

	def form_authenticity_token
	if signed_in?
	session[:_csrf_token] \|\|= SecureRandom.base64(32)
	end
	end
	end
	class SessionsController < ApplicationController
	def destroy
	request.env["cookie.logout"] = true
	end
	end
	class StripEmptySessions
	ENV_SESSION_KEY = "rack.session".freeze
	HTTP_SET_COOKIE = "Set-Cookie".freeze
	BOGUS_KEYS = [:session_id, :_csrf_token]

	def initialize(app, options = {})
	@app = app
	@options = options
	end

	def call(env)
	status, headers, body = @app.call(env)

	session_data = env[ENV_SESSION_KEY]

	if env["cookie.logout"]
	cookie = build_cookie(@options[:key], {
	:value => 'x',
	:expires => -1.year.from_now.utc
	}.merge(@options))

	case headers[HTTP_SET_COOKIE].class.name
	when 'NilClass'
	headers[HTTP_SET_COOKIE] = cookie
	when 'Array'
	headers[HTTP_SET_COOKIE] << cookie
	when 'String'
	headers[HTTP_SET_COOKIE] << "\n#{cookie}"
	end
	elsif (session_data.keys - BOGUS_KEYS).empty?
	case headers[HTTP_SET_COOKIE].class.name
	when 'Array'
	headers[HTTP_SET_COOKIE].reject! {\|c\| c.match(/^\n?#{@options[:key]}=/)}
	when 'String'
	headers[HTTP_SET_COOKIE].gsub!( /(^\|\n)#{@options[:key]}=(.*)?(\n\|$)/, "" )
	end
	end

	[status, headers, body]
	end

	private

	# Copied from the cookie session middleware.
	def build_cookie(key, value)
	case value
	when Hash
	domain = "; domain=" + value[:domain] if value[:domain]
	path = "; path=" + value[:path] if value[:path]
	# According to RFC 2109, we need dashes here.
	# N.B.: cgi.rb uses spaces...
	expires = "; expires=" + value[:expires].clone.gmtime.
	strftime("%a, %d-%b-%Y %H:%M:%S GMT") if value[:expires]
	secure = "; secure" if value[:secure]
	httponly = "; HttpOnly" if value[:httponly]
	value = value[:value]
	end
	value = [value] unless Array === value
	Rack::Utils.escape(key) + "=" +
	value.map { \|v\| Rack::Utils.escape(v) }.join("&") +
	"#{domain}#{path}#{expires}#{secure}#{httponly}"
	end
	end