-
-
Notifications
You must be signed in to change notification settings - Fork 155
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allowing clearing of cookies with options. #966
Changes from 1 commit
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -135,5 +135,27 @@ describe Lucky::CookieJar do | |
name.expired?.should be_true | ||
age.expired?.should be_true | ||
end | ||
|
||
it "deletes cookies with options" do | ||
headers = HTTP::Headers.new | ||
headers["Cookie"] = "name=Rick%20James" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. |
||
|
||
jar = Lucky::CookieJar.from_request_cookies( | ||
HTTP::Cookies.from_headers(headers)) | ||
|
||
jar.clear do |cookie| | ||
cookie.path("/") | ||
.http_only(true) | ||
.secure(true) | ||
.domain(".example.com") | ||
end | ||
|
||
name = jar.get_raw(:name) | ||
name.value.should eq("") | ||
name.path.should eq("/") | ||
name.domain.should eq(".example.com") | ||
name.secure.should be_true | ||
name.expired?.should be_true | ||
end | ||
end | ||
end |
Original file line number | Diff line number | Diff line change | ||||||
---|---|---|---|---|---|---|---|---|
|
@@ -42,8 +42,21 @@ class Lucky::CookieJar | |||||||
{% raise "use CookieJar#delete instead of CookieJar#unset" %} | ||||||||
end | ||||||||
|
||||||||
# Clear cookies without any specific options. | ||||||||
def clear : Void | ||||||||
clear { } | ||||||||
end | ||||||||
|
||||||||
# Clear cookies with a block to add specific options. | ||||||||
# | ||||||||
# jar.clear do |cookie| | ||||||||
# cookie.path("/") | ||||||||
# .http_only(true) | ||||||||
# .secure(true) | ||||||||
# end | ||||||||
def clear(&block : HTTP::Cookie ->) : Void | ||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'm not 100% sure I understand the use case. Are you saying that clear doesn't actually clear the cookie? If so should we automatically set the options or something rather than making people pass a block? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Exactly, you think you are clearing the cookies but the browser blissfully ignores it if the options don't match. Can't really guess at the options either as there is no way to tell what they were set to originally. I learned this the hard way since the cookies weren't being deleted. I figured out this was the case. I'm going to test this in a bit more of a "production" setup early next week. I'll let you know how that goes. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Maybe we need to do something like Explicitly set the cookie if it is empty? Right now I think it does nothing if there are no cookies. lucky/src/lucky/session_handler.cr Lines 21 to 23 in 956d3ab
So maybe we need to set a But I'm not sure :) There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I found the spot in rails that mentions the domain has to be the same as when it's set and deleted. I really think it's a browser "feature". Probably some security related concern. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Ah I see! Ok so I think we need a couple things here.
I'd say the current way is a potential security risk because it'd be easy to call session.clear for example and if you set a domain it would not actually clear it out There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. ping 😂 There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This looks close. I think we should also add a I also think it'd be cool to read the existing cookies and automatically set the domain option when clearing so that it works as you'd expect, but that could come in a later PR. Here's some rough pseudo code for what I mean cookies.each do |cookie|
delete cookie.name do |cookie|
# Set the domain for the user
cookie.domain = cookie.domain
end
end I don't know if that works as-is, but that's kind of what I'm imagining. Or maybe There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Also along with cookies (maybe in another PR), we should probably think about this whole chrome deal https://adzerk.com/blog/chrome-samesite/ There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Just to make sure I understand, you're proposing adding a method for setting samesite, right? If so I think that is a good idea. It could accept an enum for the accepted values to keep it nice and safe. I think that should be a separate PR, but yeah this would be a great security feature There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Ok, just having come across this in rails... we need to NOT do what rails is doing... unless it's been fixed in 6... I have a signed cookie that no matter what combination I do, I can't get rails to delete it, and it's maddening. |
||||||||
cookies.each do |cookie| | ||||||||
yield cookie | ||||||||
delete cookie.name | ||||||||
end | ||||||||
end | ||||||||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SUPERFREAK!