From 122970bc11fdc795d940801839ea481388169c83 Mon Sep 17 00:00:00 2001
From: r888888888 <r888888888@gmail.com>
Date: Mon, 18 Jul 2016 16:41:38 -0700
Subject: [PATCH] fixes #2620: Users who logged in securely should always be
 redirected to the HTTPS version of Danbooru

---
 app/controllers/application_controller.rb | 5 +++++
 app/logical/session_creator.rb            | 8 ++++++++
 2 files changed, 13 insertions(+)

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 87a6f036a..4d6a337e5 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -11,6 +11,7 @@ class ApplicationController < ActionController::Base
   before_filter :set_safe_mode
   # before_filter :secure_cookies_check
   layout "default"
+  force_ssl :if => :ssl_login?
 
   rescue_from Exception, :with => :rescue_exception
   rescue_from User::PrivilegeError, :with => :access_denied
@@ -18,6 +19,10 @@ class ApplicationController < ActionController::Base
   rescue_from Danbooru::Paginator::PaginationError, :with => :render_pagination_limit
 
 protected
+  def ssl_login?
+    cookies[:ssl_login].present?
+  end
+
   def enable_cors
     response.headers["Access-Control-Allow-Origin"] = "*"
   end
diff --git a/app/logical/session_creator.rb b/app/logical/session_creator.rb
index b21c3eb72..7174a1148 100644
--- a/app/logical/session_creator.rb
+++ b/app/logical/session_creator.rb
@@ -28,6 +28,14 @@ class SessionCreator
         }
       end
 
+      if secure
+        cookies.permanent[:ssl_login] = {
+          :value => "1",
+          :secure => true,
+          :httponly => true
+        }
+      end
+
       session[:user_id] = user.id
       user.update_column(:last_ip_addr, ip_addr)
       return true