Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Allow secure cookie #205

Merged
2 commits merged into from

3 participants

Malcolm Locke Lawrence Pit Brandon Bloom
Malcolm Locke

In response to the recent interest in session hijacking attacks, this change allows the cookie to have the secure flag, and therefore only ever be sent over SSL connections.

Malcolm Locke

Closing this an re-opening a new pull with an extra config flag

Deleted user ghost merged commit cfd65d6 into from
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Nov 4, 2010
  1. Malcolm Locke
Commits on Nov 10, 2010
  1. Brandon Bloom
This page is out of date. Refresh to see the latest.
56 lib/authlogic/session/cookies.rb
View
@@ -47,6 +47,24 @@ def remember_me_for(value = :_read)
rw_config(:remember_me_for, value, 3.months, :_read)
end
alias_method :remember_me_for=, :remember_me_for
+
+ # Should the cookie be set as secure? If true, the cookie will only be sent over SSL connections
+ #
+ # * <tt>Default:</tt> false
+ # * <tt>Accepts:</tt> Boolean
+ def secure(value = nil)
+ rw_config(:secure, value, false)
+ end
+ alias_method :secure=, :secure
+
+ # Should the cookie be set as httponly? If true, the cookie will not be accessable from javascript
+ #
+ # * <tt>Default:</tt> false
+ # * <tt>Accepts:</tt> Boolean
+ def httponly(value = nil)
+ rw_config(:httponly, value, false)
+ end
+ alias_method :httponly=, :httponly
end
# The methods available for an Authlogic::Session::Base object that make up the cookie feature set.
@@ -91,7 +109,39 @@ def remember_me_until
return unless remember_me?
remember_me_for.from_now
end
-
+
+ # If the cookie should be marked as secure (SSL only)
+ def secure
+ return @secure if defined?(@secure)
+ @secure = self.class.secure
+ end
+
+ # Accepts a boolean as to whether the cookie should be marked as secure. If true the cookie will only ever be sent over an SSL connection.
+ def secure=(value)
+ @secure = value
+ end
+
+ # See secure
+ def secure?
+ secure == true || secure == "true" || secure == "1"
+ end
+
+ # If the cookie should be marked as httponly (not accessable via javascript)
+ def httponly
+ return @httponly if defined?(@httponly)
+ @httponly = self.class.httponly
+ end
+
+ # Accepts a boolean as to whether the cookie should be marked as httponly. If true, the cookie will not be accessable from javascript
+ def httponly=(value)
+ @httponly = value
+ end
+
+ # See httponly
+ def httponly?
+ httponly == true || httponly == "true" || httponly == "1"
+ end
+
private
def cookie_key
build_key(self.class.cookie_key)
@@ -117,6 +167,8 @@ def save_cookie
controller.cookies[cookie_key] = {
:value => "#{record.persistence_token}::#{record.send(record.class.primary_key)}",
:expires => remember_me_until,
+ :secure => secure,
+ :httponly => httponly,
:domain => controller.cookie_domain
}
end
@@ -127,4 +179,4 @@ def destroy_cookie
end
end
end
-end
+end
26 test/session_test/cookies_test.rb
View
@@ -41,6 +41,30 @@ def test_remember_me_for
session.remember_me = true
assert_equal 3.months, session.remember_me_for
end
+
+ def test_secure
+ UserSession.secure = true
+ assert_equal true, UserSession.secure
+ session = UserSession.new
+ assert_equal true, session.secure
+
+ UserSession.secure false
+ assert_equal false, UserSession.secure
+ session = UserSession.new
+ assert_equal false, session.secure
+ end
+
+ def test_httponly
+ UserSession.httponly = true
+ assert_equal true, UserSession.httponly
+ session = UserSession.new
+ assert_equal true, session.httponly
+
+ UserSession.httponly false
+ assert_equal false, UserSession.httponly
+ session = UserSession.new
+ assert_equal false, session.httponly
+ end
end
class InstanceMethodsTest < ActiveSupport::TestCase
@@ -109,4 +133,4 @@ def test_after_destroy_destroy_cookie
end
end
end
-end
+end
Something went wrong with that request. Please try again.