New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add cookie tossing protection #113

Merged
merged 1 commit into from Jul 31, 2016

Conversation

Projects
None yet
2 participants
@jkowens
Member

jkowens commented Jul 30, 2016

Mitigate malicious session cookies set on a subdomain from
being read by the parent domain. Resolves sinatra/sinatra#1155.

I've set the default reaction to deny the request, but I've added a method so that it could be configured to redirect as described in the Github blog.

use Rack::Protection::CookieTossing, :reaction => :redirect

There is also an option to set the session cookie name (the default is rack.session):

use Rack::Protection::CookieTossing, :session_key => '_session'
Add cookie tossing protection
Mitigate malicious session cookies set on a subdomain from
being read by the parent domain.

@zzak zzak merged commit 729059b into sinatra:master Jul 31, 2016

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
@zzak

This comment has been minimized.

Show comment
Hide comment
@zzak

zzak Jul 31, 2016

Member

@jkowens Thank you!

Member

zzak commented Jul 31, 2016

@jkowens Thank you!

zzak added a commit that referenced this pull request Aug 12, 2016

Merge pull request #113 from jkowens/cookie_tossing
Add cookie tossing protection
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment