README.md in safe_cookies-0.1.5 vs README.md in safe_cookies-0.1.6

- old
+ new

@@ -6,26 +6,22 @@ * set all new application cookies 'secure', if the request came via HTTPS and not specified otherwise * rewrite request cookies, setting both flags as above ## Installation +### Step 1 Add this line to your application's Gemfile: gem 'safe_cookies' -Then run: +Then run `bundle`. - $ bundle +Though this gem is aimed at Rails applications, you may even use it without Rails. Install it then with +`gem install safe_cookies`. -Or install it yourself as: - $ gem install safe_cookies - - -## Usage - -### Step 1 +### Step 2 **Rails 3**: add the following line in config/application.rb: class Application < Rails::Application # ... config.middleware.insert_before ActionDispatch::Cookies, SafeCookies::Middleware @@ -37,13 +33,13 @@ # ... require 'safe_cookies' config.middleware.insert_before ActionController::Session::CookieStore, SafeCookies::Middleware end -### Step 2 +### Step 3 Register cookies, either just after the lines you added in step 1 or in in an initializer -(e.g. config/initializers/safe_cookies.rb): +(e.g. in `config/initializers/safe_cookies.rb): SafeCookies.configure do |config| config.register_cookie :remember_token, :expire_after => 1.year config.register_cookie :last_action, :expire_after => 30.days config.register_cookie :default_language, :expire_after => 10.years, :secure => false @@ -53,28 +49,32 @@ This will have the `default_language` cookie not made secure, the `javascript_data` cookie not made http-only. It will rewrite the `remember_token` with an expiry of one year and the `last_action` cookie with an expiry of 30 days, making both of them secure and http-only. Available options are: `:expire_after (required), :path, :secure, :http_only`. -### Step 3 -Override `SafeCookies::Middleware#handle_unknown_cookies(cookies)` (see "Dealing with unregistered cookies" below). +### Step 4 (only for Rails 2) +Override `SafeCookies::Middleware#handle_unknown_cookies(cookies)` (see "Dealing with unregistered +cookies" below). ## Dealing with unregistered cookies -The middleware is not able to secure cookies without knowing their properties (most important: their -expiry). Unfortunately, the [client won't ever tell us](http://tools.ietf.org/html/rfc6265#section-4.2.2) -if the cookie was originally sent with flags such as "secure" or which expiry date it currently has. +The middleware is not able to secure cookies without knowing their attributes (most important: their +expiry). Unfortunately, [the client won't ever tell us](http://tools.ietf.org/html/rfc6265#section-4.2.2) +if it stores the cookie with flags such as "secure" or which expiry date it currently has. Therefore, it is important to register all cookies that users may come with, specifying their properties. Unregistered cookies cannot be secured. -If a request brings a cookie that is not registered, the middleware will raise +If a request brings a cookie that is not registered, the middleware will raise a `SafeCookies::UnknownCookieError`. Rails 3+ should handle the exception as any other in your application, but by default, **you will not be notified from Rails 2 applications** and the user will see a standard 500 Server Error. Override `SafeCookies::Middleware#handle_unknown_cookies(cookies)` in the config initializer for customized exception handling (like, notifying you per email). -You should not ignore an unregistered cookie, but instead register it. +You should register any cookie that your application has to do with. However, there are cookies that you +do not control, like Google's `__utma` & co. You can tell the middleware to ignore those with the +`config.ignore_cookie` directive, which takes either a String or a Regex parameter. Be careful when using +regular expressions! ## Fix cookie paths In August 2013 we noticed a bug in SafeCookies < 0.1.4, by which secured cookies would be set for the