Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Don't send cookies if session is undefined

  • Loading branch information...
commit 73f841bb43b91a4adc3e77de305b763dffa80559 1 parent 774fa10
@mwilliamson mwilliamson authored
Showing with 98 additions and 19 deletions.
  1. +28 −17 lib/cookie-sessions.js
  2. +70 −2 test/test-cookie-sessions.js
View
45 lib/cookie-sessions.js
@@ -28,24 +28,35 @@ var exports = module.exports = function(settings){
// response so that the timestamp is up to date, and the session
// does not expire unless the user is inactive.
- var cookiestr = escape(s.session_key) + '='
- + escape(exports.serialize(s.secret, req.session))
- + '; expires=' + exports.expires(s.timeout)
- + '; path=/';
-
- if(Array.isArray(headers)) headers.push(['Set-Cookie', cookiestr]);
- else {
- // if a Set-Cookie header already exists, convert headers to
- // array so we can send multiple Set-Cookie headers.
- if(headers['Set-Cookie'] !== undefined){
- headers = exports.headersToArray(headers);
- headers.push(['Set-Cookie', cookiestr]);
- args[args.length-1] = headers;
+ var cookiestr;
+ if (req.session === undefined) {
+ if ("cookie" in req.headers) {
+ cookiestr = escape(s.session_key) + '='
+ + '; expires=' + exports.expires(0)
+ + '; path=/';
}
- // if no Set-Cookie header exists, leave the headers as an
- // object, and add a Set-Cookie property
+ } else {
+ cookiestr = escape(s.session_key) + '='
+ + escape(exports.serialize(s.secret, req.session))
+ + '; expires=' + exports.expires(s.timeout)
+ + '; path=/';
+ }
+
+ if (cookiestr !== undefined) {
+ if(Array.isArray(headers)) headers.push(['Set-Cookie', cookiestr]);
else {
- headers['Set-Cookie'] = cookiestr;
+ // if a Set-Cookie header already exists, convert headers to
+ // array so we can send multiple Set-Cookie headers.
+ if(headers['Set-Cookie'] !== undefined){
+ headers = exports.headersToArray(headers);
+ headers.push(['Set-Cookie', cookiestr]);
+ args[args.length-1] = headers;
+ }
+ // if no Set-Cookie header exists, leave the headers as an
+ // object, and add a Set-Cookie property
+ else {
+ headers['Set-Cookie'] = cookiestr;
+ }
}
}
@@ -179,7 +190,7 @@ exports.readSession = function(key, secret, timeout, req){
if(cookies[key]){
return exports.deserialize(secret, timeout, cookies[key]);
}
- return {};
+ return undefined;

Maybe we can update the comment: // otherwise returns an empty object.

undefined value break existing code and is not the expected behaviour.

François

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
};
View
72 test/test-cookie-sessions.js
@@ -299,7 +299,7 @@ exports['readSession no cookie'] = function(test){
var r = sessions.readSession(
'node_session', 'secret', 12, 'request_obj'
);
- test.same(r, {}, 'return empty session');
+ test.same(r, undefined, 'return empty session');
// restore copied functions
sessions.readCookies = readCookies;
@@ -344,7 +344,7 @@ exports['writeHead'] = function(test){
secret: 'secret',
timeout: 86400
};
- var req = {headers: {}};
+ var req = {headers: {cookie: "_node="}};
var res = {
writeHead: function(code, headers){
test.equals(
@@ -382,6 +382,74 @@ exports['writeHead'] = function(test){
sessions(s)(req, res, next);
};
+exports['writeHead doesnt write cookie if none exists and session is undefined'] = function(test){
+ test.expect(3);
+
+ var s = {
+ session_key:'_node',
+ secret: 'secret',
+ timeout: 86400
+ };
+ var req = {headers: {}};
+ var res = {
+ writeHead: function(code, headers){
+ test.ok(!("Set-Cookie" in headers));
+ test.equals(headers['original'], 'header');
+ }
+ };
+
+ var next = function(){
+ test.ok(true, 'chain.next called');
+ req.session = undefined;
+ res.writeHead(200, {'original':'header'});
+ test.done();
+ };
+ sessions(s)(req, res, next);
+};
+
+exports['writeHead writes empty cookie with immediate expiration if session is undefined'] = function(test){
+ test.expect(4);
+
+ var s = {
+ session_key:'_node',
+ secret: 'secret',
+ timeout: 86400
+ };
+ var req = {headers: {cookie: "_node=Blah"}};
+ var res = {
+ writeHead: function(code, headers){
+ test.equals(
+ headers['Set-Cookie'],
+ '_node=; ' +
+ 'expires=now; ' +
+ 'path=/'
+ );
+ test.equals(headers['original'], 'header');
+ }
+ };
+
+ var expires = sessions.expires;
+ sessions.expires = function(timeout){
+ test.equals(timeout, 0);
+ return 'now';
+ };
+ var readSession = sessions.readSession;
+ sessions.readSession = function(key, secret, timeout, req) {
+ return {"username": "Bob"};
+ };
+
+ var next = function(){
+ test.ok(true, 'chain.next called');
+ req.session = undefined;
+ res.writeHead(200, {'original':'header'});
+ // restore copied functions
+ sessions.expires = expires;
+ sessions.readSession = readSession;
+ test.done();
+ };
+ sessions(s)(req, res, next);
+};
+
exports['onInit secret set'] = function(test){
test.expect(0);
var s = {secret: 'secret'};
Please sign in to comment.
Something went wrong with that request. Please try again.