Permalink
Browse files

Added support for http_only cookies in cookie_store Added unit tests …

…for secure and http_only cookies in cookie_store

Signed-off-by: Michael Koziarski <michael@koziarski.com>
[#1046 state:committed]
  • Loading branch information...
1 parent c47525a commit 7ecb9689b03335ec28958c506b083390f4212d45 @pelle pelle committed with NZKoz Sep 16, 2008
View
@@ -1,5 +1,7 @@
*Edge*
+* Set HttpOnly for the cookie session store's cookie. #1046
+
* Added FormTagHelper#image_submit_tag confirm option #784 [Alastair Brunton]
* Fixed FormTagHelper#submit_tag with :disable_with option wouldn't submit the button's value when was clicked #633 [Jose Fernandez]
@@ -42,7 +42,8 @@ class SessionFixationAttempt < StandardError #:nodoc:
:prefix => "ruby_sess.", # prefix session file names
:session_path => "/", # available to all paths in app
:session_key => "_session_id",
- :cookie_only => true
+ :cookie_only => true,
+ :session_http_only=> true
}
def initialize(cgi, session_options = {})
@@ -14,7 +14,8 @@ class SessionFixationAttempt < StandardError #:nodoc:
:prefix => "ruby_sess.", # prefix session file names
:session_path => "/", # available to all paths in app
:session_key => "_session_id",
- :cookie_only => true
+ :cookie_only => true,
+ :session_http_only=> true
}
def initialize(env, session_options = DEFAULT_SESSION_OPTIONS)
@@ -70,7 +70,8 @@ def initialize(session, options = {})
'path' => options['session_path'],
'domain' => options['session_domain'],
'expires' => options['session_expires'],
- 'secure' => options['session_secure']
+ 'secure' => options['session_secure'],
+ 'http_only' => options['session_http_only']
}
# Set no_hidden and no_cookies since the session id is unused and we
@@ -60,6 +60,10 @@ def session_options
# # the session will only work over HTTPS, but only for the foo action
# session :only => :foo, :session_secure => true
#
+ # # the session by default uses HttpOnly sessions for security reasons.
+ # # this can be switched off.
+ # session :only => :foo, :session_http_only => false
+ #
# # the session will only be disabled for 'foo', and only if it is
# # requested as a web service
# session :off, :only => :foo,
@@ -36,7 +36,9 @@ def self.default_session_options
'session_key' => '_myapp_session',
'secret' => 'Keep it secret; keep it safe.',
'no_cookies' => true,
- 'no_hidden' => true }
+ 'no_hidden' => true,
+ 'session_http_only' => true
+ }
end
def self.cookies
@@ -149,6 +151,48 @@ def test_close_marshals_and_writes_cookie
assert_equal 1, session.cgi.output_cookies.size
cookie = session.cgi.output_cookies.first
assert_cookie cookie, cookie_value(:flashed)
+ assert_http_only_cookie cookie
+ assert_secure_cookie cookie, false
+ end
+ end
+
+ def test_writes_non_secure_cookie_by_default
+ set_cookie! cookie_value(:typical)
+ new_session do |session|
+ session['flash'] = {}
+ session.close
+ cookie = session.cgi.output_cookies.first
+ assert_secure_cookie cookie,false
+ end
+ end
+
+ def test_writes_secure_cookie
+ set_cookie! cookie_value(:typical)
+ new_session('session_secure'=>true) do |session|
+ session['flash'] = {}
+ session.close
+ cookie = session.cgi.output_cookies.first
+ assert_secure_cookie cookie
+ end
+ end
+
+ def test_http_only_cookie_by_default
+ set_cookie! cookie_value(:typical)
+ new_session do |session|
+ session['flash'] = {}
+ session.close
+ cookie = session.cgi.output_cookies.first
+ assert_http_only_cookie cookie
+ end
+ end
+
+ def test_overides_http_only_cookie
+ set_cookie! cookie_value(:typical)
+ new_session('session_http_only'=>false) do |session|
+ session['flash'] = {}
+ session.close
+ cookie = session.cgi.output_cookies.first
+ assert_http_only_cookie cookie, false
end
end
@@ -195,6 +239,13 @@ def assert_cookie(cookie, value = nil, expires = nil, message = nil)
assert_equal expires, cookie.expires ? cookie.expires.to_date : cookie.expires, message
end
+ def assert_secure_cookie(cookie,value=true)
+ assert cookie.secure==value
+ end
+
+ def assert_http_only_cookie(cookie,value=true)
+ assert cookie.http_only==value
+ end
def cookies(*which)
self.class.cookies.values_at(*which)

0 comments on commit 7ecb968

Please sign in to comment.