wipe out the value of the session data in addition to setting expires…

… header in past on destroy
soitgoes · Apr 8, 2014 · 8feec45 · 8feec45
1 parent 86a005d
commit 8feec45
Show file tree

Hide file tree

Showing 3 changed files with 55 additions and 6 deletions.
diff --git a/lib/middleware/session/cookieDataProvider.js b/lib/middleware/session/cookieDataProvider.js
@@ -34,22 +34,27 @@ CookieDataProvider.prototype.loadSession = function(req, sessionId) {
  *	Called once at the end of the request
  */
 CookieDataProvider.prototype.save = function(req, res, sessionId) {
-    return setCookie(req, res, sessionId, this.config.lifetime, this.config.secret, this.cookieKey);
+    return this.setCookie(req, res, sessionId, this.config.lifetime);
 };
 
 CookieDataProvider.prototype.destroy = function (req, res, sessionId) {
-    return setCookie(req, res, sessionId, -1, this.config.secret, this.cookieKey);
+    return this.setCookie(req, res, sessionId, -1);
 };
 
-function setCookie(req, res, sessionId, expiresInSeconds, secret, cookieKey) {
+CookieDataProvider.prototype.setCookie = function (req, res, sessionId, expiresInSeconds) {
+    var cookieKey = this.cookieKey;
+    var secret = this.config.secret;
+
     res = res || {};
     res.headers = res.headers || {};
     res.headers["Set-Cookie"] = res.headers["Set-Cookie"] || [];
+
     var expires = new Date();
     expires.setSeconds(expires.getSeconds() + expiresInSeconds);
-    var sData = JSON.stringify(req.env.session);
 
-    var cookie = cookieKey + "=" + encodeURIComponent(security.encrypt(sData, secret)) + "; Path=/; Expires=" + expires.toUTCString() + ";";
+    var sData = expiresInSeconds > 0 ? JSON.stringify(req.env.session) : '';
+
+    var cookie = cookieKey + "=" + encodeURIComponent(this.encrypt(sData, secret)) + "; Path=/; Expires=" + expires.toUTCString() + ";";
 
     res = util.ensureSetCookieArray(res);
     res.headers["Set-Cookie"] = res.headers["Set-Cookie"].filter(function(el) {

diff --git a/lib/middleware/session/idProvider.js b/lib/middleware/session/idProvider.js
@@ -44,7 +44,7 @@ IdProvider.prototype.save = function(req, res, sessionId) {
 };
 
 IdProvider.prototype.destroy = function (req, res, sessionId) {
-    return setCookie(req, res, sessionId, -1, this.config.secret, this.cookieKey);
+    return setCookie(req, res, '', -1, this.config.secret, this.cookieKey);
 };
 
 function setCookie(req, res, sessionId, expiresInSeconds, secret, cookieKey) {

diff --git a/spec/middleware/session/cookieDataProviderSpec.coffee b/spec/middleware/session/cookieDataProviderSpec.coffee
@@ -48,3 +48,47 @@ describe 'Cookie Data Provider', ->
       q.when session, (session) ->
         expect(session).toEqual JSON.parse(decryptedSessionData)
         done()
+
+  describe 'destroy session', ->
+    res = null
+    sessionId = null
+    encrypt = null
+
+    beforeEach ->
+      sessionId = '--some-session-id--'
+
+      encrypt = jasmine.createSpy 'encrypt'
+      encrypt.andCallFake (sessionId, secret) ->
+        sessionId
+
+      cookieDataProvider = new CookieDataProvider
+        secret: 'VERY_SECRET',
+        encrypt: encrypt
+
+      req = new JsgiRequest('/', 'get', { cookie: '' })
+      req.env =
+        session:
+          foo: 'bar'
+          bar: 'baz'
+
+      res = { headers: {} }
+      res = cookieDataProvider.destroy(req, res, sessionId)
+
+    it 'should call encrypt', (done) ->
+      q(res)
+        .then ->
+          expect(encrypt).toHaveBeenCalled()
+        .fail (err) =>
+          @fail err
+        .fin done
+
+    it 'should have empty session cookie', (done) ->
+      q(res)
+        .then (res) ->
+          cookie = res.headers['Set-Cookie'][0]
+          parts = cookie.split(';')
+          val = parts[0].split('=')[1]
+          expect(val).toEqual('')
+        .fail (err) =>
+          @fail err
+        .fin done