How can I disable URL-encoding of cookies in Rails

Question

I have a Rails application that has to co-exist with a very old legacy application. The legacy application looks for a cookie that has a value containing a specific string of characters. Unfortunately, the characters in the legacy cookie often contain slashes. The problem I have is that when the Rails application writes the cookie it first does URL-encoding which causes the legacy app to break because the cookie values is incorrect.

I had this working in Rails 1.13.5 by editing the file cookie_performance_fix.rb (Path: ./actionpack-1.13.5/lib/action_controller/cgi_ext/cookie_performance_fix.rb)
In order to get this to work I changed the code as shown:

def to_s
  buf = ""
  buf << @name << '='

  if @value.kind_of?(String)
    rails code. 
        #buf << CGI::escape(@value)
         buf << @value
  else
        #buf << @value.collect{|v| CGI::escape(v) }.join("&")
   buf << @value.collect{|v| (v) }.join("&")

  end

This actually worked fine until I decided to upgrade Rails to version 2.3.2
In Rails 2.3.2 the cookie_performance_fix.rb file no longer exists. I looked in the same directory and found a file called cookie.rb which I tried modifying in a similar fashion.

def to_s
  buf = ''
  buf << @name << '='
  #buf << (@value.kind_of?(String) ? CGI::escape(@value) : @value.collect{|v| CGI::escape(v) }.join("&"))
    buf << (@value.kind_of?(String) ? @value : @value.collect{|v| (v) }.join("&"))
  buf << '; domain=' << @domain if @domain
  buf << '; path=' << @path if @path
  buf << '; expires=' << CGI::rfc1123_date(@expires) if @expires
  buf << '; secure' if @secure
  buf << '; HttpOnly' if @http_only
  buf
end

This unfortunately does not seem to work. The cookie keeps getting URL-encoded in the new Rails 2.3.2. I know that turning off URL-encoding is not the best idea, but I don't have much choice until the legacy application is retired. I unfortunately do not have access to the legacy code to add support for URL-unencoding the cookie so I have to make sure the legacy cookie is written with the correct sequence including the slashes. If anyone can tell me how to turn off URL-encoding in Rails 2.3.2 it would be greatly appreciated.
Thanks.

Answer 1

After doing some digging I have found the answer to my question and I am documenting it here in case it is of use to anyone else.

In order to turn off URL-encoding in Rails 2.3.2 it is necessary to edit the following file: actionpack-2.3.2/lib/action_controller/vendor/rack-1.0/rack/response.rb

Around line 70 the ID and value of the cookie is set. I made the following change to turn of URL-encoding:

cookie = Utils.escape(key) + "=" +
    #value.map { |v| Utils.escape v }.join("&") +
    value.map { |v| v }.join("&") +
    "#{domain}#{path}#{expires}#{secure}#{httponly}"

NOTE: This modification only affects standard cookies - not the cookies used as session data by Rails in version 2.3.2.

DISCLAIMER: I am in no way recommending this modification as a best practice. This modification was only done for the specific reason of handling legacy code requirement that required a cookie to be in a particular format. A better option would even be to modify the legacy code to handle URL-encoding. Unfortunately, that option was closed to me so I was forced to hack around on the underlying Rails code - which is not something I would generally recommend. Of course it should go without saying that making this type of modification runs the risk that the problem will have to be re-addressed every time you upgrade your Rails installation as the underlying code may change. That is actually what happened in my case. And of course there are also probably good reasons (security, standards compliance, etc.) for keeping the URL-encoding if at all possible.