Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

test showing that the :digest option to CookieStore does absolutely nothing anymore #8513

Closed
wants to merge 1 commit into from

5 participants

@yyyc514

Seems this was broken 3 years ago and no one noticed?

25f7c03

Not sure how best to go about fixing it - if anyone cares? This (:digest) was a good idea, but either no one is using it or has no idea it broke - since it would be a very silent failure.

@yyyc514

How would you go about fixing this without hard coding rack.sessions.options into the rails Cookies class?

@parndt

Huh, hopefully this gets reviewed before Rails 4.0

@jaggederest

I believe this is fixed in Master, can someone confirm?

@senny
Owner

@chancancode can you determine the status of this issue and merge / close accordingly?

@yyyc514

Should be as simple and running the test suite and seeing if the test still fails.

@chancancode chancancode self-assigned this
@chancancode
Owner

@yyyc514 you are absolutely right, this has been broken since 3.0 by mistake. We should have deprecated the option back then. But since has been so long, and like you said I doubt anyone is using it, and considering how much code we will need to bring back to support this, we should just fix the doc and move on.

If someone is actually looking for a fix for this, I suppose I can help them write a gem that brings this back. Basically you'll just create a new store that uses the cookie store code before 25f7c03...

@yyyc514

Works for me I guess. :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Dec 14, 2012
  1. @yyyc514
This page is out of date. Refresh to see the latest.
Showing with 13 additions and 1 deletion.
  1. +13 −1 actionpack/test/dispatch/session/cookie_store_test.rb
View
14 actionpack/test/dispatch/session/cookie_store_test.rb
@@ -11,6 +11,9 @@ class CookieStoreTest < ActionDispatch::IntegrationTest
Verifier = ActiveSupport::MessageVerifier.new(SessionSecret, :digest => 'SHA1')
SignedBar = Verifier.generate(:foo => "bar", :session_id => SecureRandom.hex(16))
+ VerifierMD5 = ActiveSupport::MessageVerifier.new(SessionSecret, :digest => 'MD5')
+ SignedBarMD5 = VerifierMD5.generate(:foo => "bar", :session_id => SecureRandom.hex(16))
+
class TestController < ActionController::Base
def no_session_access
head :ok
@@ -72,6 +75,15 @@ def test_setting_session_value
headers['Set-Cookie']
end
end
+
+ def test_digest_can_be_changed
+ with_test_route_set(:digest => "MD5") do
+ cookies[SessionKey] = SignedBarMD5
+ get '/get_session_value'
+ assert_response :success
+ assert_equal 'foo: "bar"', response.body
+ end
+ end
def test_getting_session_value
with_test_route_set do
@@ -95,7 +107,7 @@ def test_getting_session_id
assert_equal "id: #{session_id}", response.body, "should be able to read session id without accessing the session hash"
end
end
-
+
def test_disregards_tampered_sessions
with_test_route_set do
cookies[SessionKey] = "BAh7BjoIZm9vIghiYXI%3D--123456780"
Something went wrong with that request. Please try again.