Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Refactor cookie_only option to survive multiple requests and add regr…
…ession tests. References #10048. [theflow] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8176 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
- Loading branch information
Showing
2 changed files
with
95 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Original file line | Diff line number | Diff line change |
---|---|---|---|
@@ -0,0 +1,88 @@ | |||
require File.dirname(__FILE__) + '/../abstract_unit' | |||
|
|||
class SessionFixationTest < Test::Unit::TestCase | |||
class MockCGI < CGI #:nodoc: | |||
attr_accessor :stdoutput, :env_table | |||
|
|||
def initialize(env, data = '') | |||
self.env_table = env | |||
self.stdoutput = StringIO.new | |||
super(nil, StringIO.new(data)) | |||
end | |||
end | |||
|
|||
class TestController < ActionController::Base | |||
session :session_key => '_myapp_session_id', :secret => 'secret', :except => :default_session_key | |||
session :cookie_only => false, :only => :allow_session_fixation | |||
|
|||
def default_session_key | |||
render :text => "default_session_key" | |||
end | |||
|
|||
def custom_session_key | |||
render :text => "custom_session_key: #{params[:id]}" | |||
end | |||
|
|||
def allow_session_fixation | |||
render :text => "allow_session_fixation" | |||
end | |||
|
|||
def rescue_action(e) raise end | |||
end | |||
|
|||
def setup | |||
@controller = TestController.new | |||
end | |||
|
|||
def test_should_be_able_to_make_a_successful_request | |||
cgi = mock_cgi_for_request_to(:custom_session_key, :id => 1) | |||
|
|||
assert_nothing_raised do | |||
@controller.send(:process, ActionController::CgiRequest.new(cgi, {}), ActionController::CgiResponse.new(cgi)) | |||
end | |||
assert_equal 'custom_session_key: 1', @controller.response.body | |||
assert_not_nil @controller.session | |||
end | |||
|
|||
def test_should_catch_session_fixation_attempt | |||
cgi = mock_cgi_for_request_to(:custom_session_key, :_myapp_session_id => 42) | |||
|
|||
assert_raises ActionController::CgiRequest::SessionFixationAttempt do | |||
@controller.send(:process, ActionController::CgiRequest.new(cgi, {}), ActionController::CgiResponse.new(cgi)) | |||
end | |||
assert_nil @controller.session | |||
end | |||
|
|||
def test_should_not_catch_session_fixation_attempt_when_cookie_only_setting_is_disabled | |||
cgi = mock_cgi_for_request_to(:allow_session_fixation, :_myapp_session_id => 42) | |||
|
|||
assert_nothing_raised do | |||
@controller.send(:process, ActionController::CgiRequest.new(cgi, {}), ActionController::CgiResponse.new(cgi)) | |||
end | |||
assert ! @controller.response.body.blank? | |||
assert_not_nil @controller.session | |||
end | |||
|
|||
def test_should_catch_session_fixation_attempt_with_default_session_key | |||
ActionController::Base.session_store = :p_store # using the default session_key is not possible with cookie store | |||
cgi = mock_cgi_for_request_to(:default_session_key, :_session_id => 42) | |||
|
|||
assert_raises ActionController::CgiRequest::SessionFixationAttempt do | |||
@controller.send(:process, ActionController::CgiRequest.new(cgi, {}), ActionController::CgiResponse.new(cgi)) | |||
end | |||
assert @controller.response.body.blank? | |||
assert_nil @controller.session | |||
end | |||
|
|||
private | |||
|
|||
def mock_cgi_for_request_to(action, params = {}) | |||
MockCGI.new({ | |||
"REQUEST_METHOD" => "GET", | |||
"QUERY_STRING" => "action=#{action}&#{params.to_query}", | |||
"REQUEST_URI" => "/", | |||
"SERVER_PORT" => "80", | |||
"HTTP_HOST" => "testdomain.com" }, '') | |||
end | |||
|
|||
end |