rails--rails/railties/test/application/middleware/session_test.rb

# encoding: utf-8
require 'isolation/abstract_unit'
require 'rack/test'

module ApplicationTests
  class MiddlewareSessionTest < ActiveSupport::TestCase
    include ActiveSupport::Testing::Isolation
    include Rack::Test::Methods

    def setup
      build_app
      boot_rails
      FileUtils.rm_rf "#{app_path}/config/environments"
    end

    def teardown
      teardown_app
    end

    def app
      @app ||= Rails.application
    end

    test "config.force_ssl sets cookie to secure only" do
      add_to_config "config.force_ssl = true"
      require "#{app_path}/config/environment"
      assert app.config.session_options[:secure], "Expected session to be marked as secure"
    end

    test "session is not loaded if it's not used" do
      make_basic_app

      class ::OmgController < ActionController::Base
        def index
          if params[:flash]
            flash[:notice] = "notice"
          end

          render nothing: true
        end
      end

      get "/?flash=true"
      get "/"

      assert last_request.env["HTTP_COOKIE"]
      assert !last_response.headers["Set-Cookie"]
    end

    test "session is empty and isn't saved on unverified request when using :null_session protect method" do
      app_file 'config/routes.rb', <<-RUBY
        Rails.application.routes.draw do
          get  ':controller(/:action)'
          post ':controller(/:action)'
        end
      RUBY

      controller :foo, <<-RUBY
        class FooController < ActionController::Base
          protect_from_forgery with: :null_session

          def write_session
            session[:foo] = 1
            render nothing: true
          end

          def read_session
            render text: session[:foo].inspect
          end
        end
      RUBY

      add_to_config <<-RUBY
        config.action_controller.allow_forgery_protection = true
      RUBY

      require "#{app_path}/config/environment"

      get '/foo/write_session'
      get '/foo/read_session'
      assert_equal '1', last_response.body

      post '/foo/read_session'               # Read session using POST request without CSRF token
      assert_equal 'nil', last_response.body # Stored value shouldn't be accessible

      post '/foo/write_session' # Write session using POST request without CSRF token
      get '/foo/read_session'   # Session shouldn't be changed
      assert_equal '1', last_response.body
    end

    test "cookie jar is empty and isn't saved on unverified request when using :null_session protect method" do
      app_file 'config/routes.rb', <<-RUBY
        Rails.application.routes.draw do
          get  ':controller(/:action)'
          post ':controller(/:action)'
        end
      RUBY

      controller :foo, <<-RUBY
        class FooController < ActionController::Base
          protect_from_forgery with: :null_session

          def write_cookie
            cookies[:foo] = '1'
            render nothing: true
          end

          def read_cookie
            render text: cookies[:foo].inspect
          end
        end
      RUBY

      add_to_config <<-RUBY
        config.action_controller.allow_forgery_protection = true
      RUBY

      require "#{app_path}/config/environment"

      get '/foo/write_cookie'
      get '/foo/read_cookie'
      assert_equal '"1"', last_response.body

      post '/foo/read_cookie'                # Read cookie using POST request without CSRF token
      assert_equal 'nil', last_response.body # Stored value shouldn't be accessible

      post '/foo/write_cookie' # Write cookie using POST request without CSRF token
      get '/foo/read_cookie'   # Cookie shouldn't be changed
      assert_equal '"1"', last_response.body
    end

    test "session using encrypted cookie store" do
      app_file 'config/routes.rb', <<-RUBY
        Rails.application.routes.draw do
          get ':controller(/:action)'
        end
      RUBY

      controller :foo, <<-RUBY
        class FooController < ActionController::Base
          def write_session
            session[:foo] = 1
            render nothing: true
          end

          def read_session
            render text: session[:foo]
          end

          def read_encrypted_cookie
            render text: cookies.encrypted[:_myapp_session]['foo']
          end

          def read_raw_cookie
            render text: cookies[:_myapp_session]
          end
        end
      RUBY

      require "#{app_path}/config/environment"

      get '/foo/write_session'
      get '/foo/read_session'
      assert_equal '1', last_response.body

      get '/foo/read_encrypted_cookie'
      assert_equal '1', last_response.body

      secret = app.key_generator.generate_key('encrypted cookie')
      sign_secret = app.key_generator.generate_key('signed encrypted cookie')
      encryptor = ActiveSupport::MessageEncryptor.new(secret, sign_secret)

      get '/foo/read_raw_cookie'
      assert_equal 1, encryptor.decrypt_and_verify(last_response.body)['foo']
    end

    test "session upgrading signature to encryption cookie store works the same way as encrypted cookie store" do
      app_file 'config/routes.rb', <<-RUBY
        Rails.application.routes.draw do
          get ':controller(/:action)'
        end
      RUBY

      controller :foo, <<-RUBY
        class FooController < ActionController::Base
          def write_session
            session[:foo] = 1
            render nothing: true
          end

          def read_session
            render text: session[:foo]
          end

          def read_encrypted_cookie
            render text: cookies.encrypted[:_myapp_session]['foo']
          end

          def read_raw_cookie
            render text: cookies[:_myapp_session]
          end
        end
      RUBY

      add_to_config <<-RUBY
        secrets.secret_token = "3b7cd727ee24e8444053437c36cc66c4"
      RUBY

      require "#{app_path}/config/environment"

      get '/foo/write_session'
      get '/foo/read_session'
      assert_equal '1', last_response.body

      get '/foo/read_encrypted_cookie'
      assert_equal '1', last_response.body

      secret = app.key_generator.generate_key('encrypted cookie')
      sign_secret = app.key_generator.generate_key('signed encrypted cookie')
      encryptor = ActiveSupport::MessageEncryptor.new(secret, sign_secret)

      get '/foo/read_raw_cookie'
      assert_equal 1, encryptor.decrypt_and_verify(last_response.body)['foo']
    end

    test "session upgrading signature to encryption cookie store upgrades session to encrypted mode" do
      app_file 'config/routes.rb', <<-RUBY
        Rails.application.routes.draw do
          get ':controller(/:action)'
        end
      RUBY

      controller :foo, <<-RUBY
        class FooController < ActionController::Base
          def write_raw_session
            # {"session_id"=>"1965d95720fffc123941bdfb7d2e6870", "foo"=>1}
            cookies[:_myapp_session] = "BAh7B0kiD3Nlc3Npb25faWQGOgZFRkkiJTE5NjVkOTU3MjBmZmZjMTIzOTQxYmRmYjdkMmU2ODcwBjsAVEkiCGZvbwY7AEZpBg==--315fb9931921a87ae7421aec96382f0294119749"
            render nothing: true
          end

          def write_session
            session[:foo] = session[:foo] + 1
            render nothing: true
          end

          def read_session
            render text: session[:foo]
          end

          def read_encrypted_cookie
            render text: cookies.encrypted[:_myapp_session]['foo']
          end

          def read_raw_cookie
            render text: cookies[:_myapp_session]
          end
        end
      RUBY

      add_to_config <<-RUBY
        secrets.secret_token = "3b7cd727ee24e8444053437c36cc66c4"
      RUBY

      require "#{app_path}/config/environment"

      get '/foo/write_raw_session'
      get '/foo/read_session'
      assert_equal '1', last_response.body

      get '/foo/write_session'
      get '/foo/read_session'
      assert_equal '2', last_response.body

      get '/foo/read_encrypted_cookie'
      assert_equal '2', last_response.body

      secret = app.key_generator.generate_key('encrypted cookie')
      sign_secret = app.key_generator.generate_key('signed encrypted cookie')
      encryptor = ActiveSupport::MessageEncryptor.new(secret, sign_secret)

      get '/foo/read_raw_cookie'
      assert_equal 2, encryptor.decrypt_and_verify(last_response.body)['foo']
    end

    test "session upgrading legacy signed cookies to new signed cookies" do
      app_file 'config/routes.rb', <<-RUBY
        Rails.application.routes.draw do
          get ':controller(/:action)'
        end
      RUBY

      controller :foo, <<-RUBY
        class FooController < ActionController::Base
          def write_raw_session
            # {"session_id"=>"1965d95720fffc123941bdfb7d2e6870", "foo"=>1}
            cookies[:_myapp_session] = "BAh7B0kiD3Nlc3Npb25faWQGOgZFRkkiJTE5NjVkOTU3MjBmZmZjMTIzOTQxYmRmYjdkMmU2ODcwBjsAVEkiCGZvbwY7AEZpBg==--315fb9931921a87ae7421aec96382f0294119749"
            render nothing: true
          end

          def write_session
            session[:foo] = session[:foo] + 1
            render nothing: true
          end

          def read_session
            render text: session[:foo]
          end

          def read_signed_cookie
            render text: cookies.signed[:_myapp_session]['foo']
          end

          def read_raw_cookie
            render text: cookies[:_myapp_session]
          end
        end
      RUBY

      add_to_config <<-RUBY
        secrets.secret_token = "3b7cd727ee24e8444053437c36cc66c4"
        secrets.secret_key_base = nil
      RUBY

      require "#{app_path}/config/environment"

      get '/foo/write_raw_session'
      get '/foo/read_session'
      assert_equal '1', last_response.body

      get '/foo/write_session'
      get '/foo/read_session'
      assert_equal '2', last_response.body

      get '/foo/read_signed_cookie'
      assert_equal '2', last_response.body

      verifier = ActiveSupport::MessageVerifier.new(app.secrets.secret_token)

      get '/foo/read_raw_cookie'
      assert_equal 2, verifier.verify(last_response.body)['foo']
    end
  end
end
config.force_ssl should mark the session as secure. 2012-01-12 14:46:54 -05:00			`# encoding: utf-8`
			`require 'isolation/abstract_unit'`
			`require 'rack/test'`

			`module ApplicationTests`
			`class MiddlewareSessionTest < ActiveSupport::TestCase`
			`include ActiveSupport::Testing::Isolation`
			`include Rack::Test::Methods`

			`def setup`
			`build_app`
			`boot_rails`
			`FileUtils.rm_rf "#{app_path}/config/environments"`
			`end`

			`def teardown`
			`teardown_app`
			`end`

			`def app`
			`@app \|\|= Rails.application`
			`end`

			`test "config.force_ssl sets cookie to secure only" do`
			`add_to_config "config.force_ssl = true"`
			`require "#{app_path}/config/environment"`
			`assert app.config.session_options[:secure], "Expected session to be marked as secure"`
			`end`
Failing test for #6034 2012-04-30 02:36:39 -04:00
			`test "session is not loaded if it's not used" do`
			`make_basic_app`

			`class ::OmgController < ActionController::Base`
			`def index`
			`if params[:flash]`
			`flash[:notice] = "notice"`
			`end`

Use Ruby 1.9 Hash syntax in railties 2012-10-14 06:03:39 -04:00			`render nothing: true`
Failing test for #6034 2012-04-30 02:36:39 -04:00			`end`
			`end`

			`get "/?flash=true"`
			`get "/"`

			`assert last_request.env["HTTP_COOKIE"]`
			`assert !last_response.headers["Set-Cookie"]`
			`end`
Implement :null_session CSRF protection method It's further work on CSRF after 245941101b1ea00a9b1af613c20b0ee994a43946. The :null_session CSRF protection method provide an empty session during request processing but doesn't reset it completely (as :reset_session does). 2012-09-13 05:07:37 -04:00
			`test "session is empty and isn't saved on unverified request when using :null_session protect method" do`
			`app_file 'config/routes.rb', <<-RUBY`
Removing use of subclassed application constant and instead using the more agnostic Rails.application syntax. This means tests will be more portable, and won't rely on the existence of a particular subclass. 2013-06-03 23:57:01 -04:00			`Rails.application.routes.draw do`
Implement :null_session CSRF protection method It's further work on CSRF after 245941101b1ea00a9b1af613c20b0ee994a43946. The :null_session CSRF protection method provide an empty session during request processing but doesn't reset it completely (as :reset_session does). 2012-09-13 05:07:37 -04:00			`get ':controller(/:action)'`
			`post ':controller(/:action)'`
			`end`
			`RUBY`

			`controller :foo, <<-RUBY`
			`class FooController < ActionController::Base`
			`protect_from_forgery with: :null_session`

			`def write_session`
			`session[:foo] = 1`
			`render nothing: true`
			`end`

			`def read_session`
			`render text: session[:foo].inspect`
			`end`
			`end`
			`RUBY`

			`add_to_config <<-RUBY`
			`config.action_controller.allow_forgery_protection = true`
			`RUBY`

			`require "#{app_path}/config/environment"`

			`get '/foo/write_session'`
			`get '/foo/read_session'`
			`assert_equal '1', last_response.body`

			`post '/foo/read_session' # Read session using POST request without CSRF token`
			`assert_equal 'nil', last_response.body # Stored value shouldn't be accessible`

			`post '/foo/write_session' # Write session using POST request without CSRF token`
			`get '/foo/read_session' # Session shouldn't be changed`
			`assert_equal '1', last_response.body`
			`end`

			`test "cookie jar is empty and isn't saved on unverified request when using :null_session protect method" do`
			`app_file 'config/routes.rb', <<-RUBY`
Removing use of subclassed application constant and instead using the more agnostic Rails.application syntax. This means tests will be more portable, and won't rely on the existence of a particular subclass. 2013-06-03 23:57:01 -04:00			`Rails.application.routes.draw do`
Implement :null_session CSRF protection method It's further work on CSRF after 245941101b1ea00a9b1af613c20b0ee994a43946. The :null_session CSRF protection method provide an empty session during request processing but doesn't reset it completely (as :reset_session does). 2012-09-13 05:07:37 -04:00			`get ':controller(/:action)'`
			`post ':controller(/:action)'`
			`end`
			`RUBY`

			`controller :foo, <<-RUBY`
			`class FooController < ActionController::Base`
			`protect_from_forgery with: :null_session`

			`def write_cookie`
			`cookies[:foo] = '1'`
			`render nothing: true`
			`end`

			`def read_cookie`
			`render text: cookies[:foo].inspect`
			`end`
			`end`
			`RUBY`

			`add_to_config <<-RUBY`
			`config.action_controller.allow_forgery_protection = true`
			`RUBY`

			`require "#{app_path}/config/environment"`

			`get '/foo/write_cookie'`
			`get '/foo/read_cookie'`
			`assert_equal '"1"', last_response.body`

			`post '/foo/read_cookie' # Read cookie using POST request without CSRF token`
			`assert_equal 'nil', last_response.body # Stored value shouldn't be accessible`

			`post '/foo/write_cookie' # Write cookie using POST request without CSRF token`
			`get '/foo/read_cookie' # Cookie shouldn't be changed`
			`assert_equal '"1"', last_response.body`
			`end`
Add encrypted cookie store 2012-10-30 16:12:23 -04:00
			`test "session using encrypted cookie store" do`
			`app_file 'config/routes.rb', <<-RUBY`
Removing use of subclassed application constant and instead using the more agnostic Rails.application syntax. This means tests will be more portable, and won't rely on the existence of a particular subclass. 2013-06-03 23:57:01 -04:00			`Rails.application.routes.draw do`
Add encrypted cookie store 2012-10-30 16:12:23 -04:00			`get ':controller(/:action)'`
			`end`
			`RUBY`

			`controller :foo, <<-RUBY`
			`class FooController < ActionController::Base`
			`def write_session`
			`session[:foo] = 1`
			`render nothing: true`
			`end`

			`def read_session`
			`render text: session[:foo]`
			`end`

			`def read_encrypted_cookie`
			`render text: cookies.encrypted[:_myapp_session]['foo']`
			`end`

			`def read_raw_cookie`
			`render text: cookies[:_myapp_session]`
			`end`
			`end`
			`RUBY`

			`require "#{app_path}/config/environment"`

			`get '/foo/write_session'`
			`get '/foo/read_session'`
			`assert_equal '1', last_response.body`

			`get '/foo/read_encrypted_cookie'`
			`assert_equal '1', last_response.body`

			`secret = app.key_generator.generate_key('encrypted cookie')`
			`sign_secret = app.key_generator.generate_key('signed encrypted cookie')`
			`encryptor = ActiveSupport::MessageEncryptor.new(secret, sign_secret)`

			`get '/foo/read_raw_cookie'`
			`assert_equal 1, encryptor.decrypt_and_verify(last_response.body)['foo']`
			`end`
Add UpgradeSignatureToEncryptionCookieStore This allows easy upgrading from the old signed Cookie Store <= 3.2 or the deprecated one in 4.0 (the ones that doesn't use key derivation) to the new one that signs using key derivation 2012-11-16 14:17:08 -05:00
Allow transparent upgrading of legacy signed cookies to encrypted cookies; Automatically configure cookie-based sessions to use the best cookie jar given the app's config 2013-03-28 15:35:48 -04:00			`test "session upgrading signature to encryption cookie store works the same way as encrypted cookie store" do`
Add UpgradeSignatureToEncryptionCookieStore This allows easy upgrading from the old signed Cookie Store <= 3.2 or the deprecated one in 4.0 (the ones that doesn't use key derivation) to the new one that signs using key derivation 2012-11-16 14:17:08 -05:00			`app_file 'config/routes.rb', <<-RUBY`
Removing use of subclassed application constant and instead using the more agnostic Rails.application syntax. This means tests will be more portable, and won't rely on the existence of a particular subclass. 2013-06-03 23:57:01 -04:00			`Rails.application.routes.draw do`
Add UpgradeSignatureToEncryptionCookieStore This allows easy upgrading from the old signed Cookie Store <= 3.2 or the deprecated one in 4.0 (the ones that doesn't use key derivation) to the new one that signs using key derivation 2012-11-16 14:17:08 -05:00			`get ':controller(/:action)'`
			`end`
			`RUBY`

			`controller :foo, <<-RUBY`
			`class FooController < ActionController::Base`
			`def write_session`
			`session[:foo] = 1`
			`render nothing: true`
			`end`

			`def read_session`
			`render text: session[:foo]`
			`end`

			`def read_encrypted_cookie`
			`render text: cookies.encrypted[:_myapp_session]['foo']`
			`end`

			`def read_raw_cookie`
			`render text: cookies[:_myapp_session]`
			`end`
			`end`
			`RUBY`

			`add_to_config <<-RUBY`
`secret_token` is now saved in `Rails.application.secrets.secret_token` - `secrets.secret_token` is now used in all places `config.secret_token` was - `secrets.secret_token`, when not present in `config/secrets.yml`, now falls back to the value of `config.secret_token` - when `secrets.secret_token` is set, it over-writes `config.secret_token` so they are the same (for backwards-compatibility) - Update docs to reference app.secrets in all places - Remove references to `config.secret_token`, `config.secret_key_base` - Warn that missing secret_key_base is deprecated - Add tests for secret_token, key_generator, and message_verifier - the legacy key generator is used with the message verifier when secrets.secret_key_base is blank and secret_token is set - app.key_generator raises when neither secrets.secret_key_base nor secret_token are set - app.env_config raises when neither secrets.secret_key_base nor secret_token are set - Add changelog Run focused tests via ruby -w -Itest test/application/configuration_test.rb -n '/secret_\|key_/' 2014-10-27 13:04:37 -04:00			`secrets.secret_token = "3b7cd727ee24e8444053437c36cc66c4"`
Add UpgradeSignatureToEncryptionCookieStore This allows easy upgrading from the old signed Cookie Store <= 3.2 or the deprecated one in 4.0 (the ones that doesn't use key derivation) to the new one that signs using key derivation 2012-11-16 14:17:08 -05:00			`RUBY`

			`require "#{app_path}/config/environment"`

			`get '/foo/write_session'`
			`get '/foo/read_session'`
			`assert_equal '1', last_response.body`

			`get '/foo/read_encrypted_cookie'`
			`assert_equal '1', last_response.body`

			`secret = app.key_generator.generate_key('encrypted cookie')`
			`sign_secret = app.key_generator.generate_key('signed encrypted cookie')`
			`encryptor = ActiveSupport::MessageEncryptor.new(secret, sign_secret)`

			`get '/foo/read_raw_cookie'`
			`assert_equal 1, encryptor.decrypt_and_verify(last_response.body)['foo']`
			`end`

Allow transparent upgrading of legacy signed cookies to encrypted cookies; Automatically configure cookie-based sessions to use the best cookie jar given the app's config 2013-03-28 15:35:48 -04:00			`test "session upgrading signature to encryption cookie store upgrades session to encrypted mode" do`
Add UpgradeSignatureToEncryptionCookieStore This allows easy upgrading from the old signed Cookie Store <= 3.2 or the deprecated one in 4.0 (the ones that doesn't use key derivation) to the new one that signs using key derivation 2012-11-16 14:17:08 -05:00			`app_file 'config/routes.rb', <<-RUBY`
Removing use of subclassed application constant and instead using the more agnostic Rails.application syntax. This means tests will be more portable, and won't rely on the existence of a particular subclass. 2013-06-03 23:57:01 -04:00			`Rails.application.routes.draw do`
Add UpgradeSignatureToEncryptionCookieStore This allows easy upgrading from the old signed Cookie Store <= 3.2 or the deprecated one in 4.0 (the ones that doesn't use key derivation) to the new one that signs using key derivation 2012-11-16 14:17:08 -05:00			`get ':controller(/:action)'`
			`end`
			`RUBY`

			`controller :foo, <<-RUBY`
			`class FooController < ActionController::Base`
			`def write_raw_session`
			`# {"session_id"=>"1965d95720fffc123941bdfb7d2e6870", "foo"=>1}`
			`cookies[:_myapp_session] = "BAh7B0kiD3Nlc3Npb25faWQGOgZFRkkiJTE5NjVkOTU3MjBmZmZjMTIzOTQxYmRmYjdkMmU2ODcwBjsAVEkiCGZvbwY7AEZpBg==--315fb9931921a87ae7421aec96382f0294119749"`
			`render nothing: true`
			`end`

			`def write_session`
			`session[:foo] = session[:foo] + 1`
			`render nothing: true`
			`end`

			`def read_session`
			`render text: session[:foo]`
			`end`

			`def read_encrypted_cookie`
			`render text: cookies.encrypted[:_myapp_session]['foo']`
			`end`

			`def read_raw_cookie`
			`render text: cookies[:_myapp_session]`
			`end`
			`end`
			`RUBY`

			`add_to_config <<-RUBY`
`secret_token` is now saved in `Rails.application.secrets.secret_token` - `secrets.secret_token` is now used in all places `config.secret_token` was - `secrets.secret_token`, when not present in `config/secrets.yml`, now falls back to the value of `config.secret_token` - when `secrets.secret_token` is set, it over-writes `config.secret_token` so they are the same (for backwards-compatibility) - Update docs to reference app.secrets in all places - Remove references to `config.secret_token`, `config.secret_key_base` - Warn that missing secret_key_base is deprecated - Add tests for secret_token, key_generator, and message_verifier - the legacy key generator is used with the message verifier when secrets.secret_key_base is blank and secret_token is set - app.key_generator raises when neither secrets.secret_key_base nor secret_token are set - app.env_config raises when neither secrets.secret_key_base nor secret_token are set - Add changelog Run focused tests via ruby -w -Itest test/application/configuration_test.rb -n '/secret_\|key_/' 2014-10-27 13:04:37 -04:00			`secrets.secret_token = "3b7cd727ee24e8444053437c36cc66c4"`
Add UpgradeSignatureToEncryptionCookieStore This allows easy upgrading from the old signed Cookie Store <= 3.2 or the deprecated one in 4.0 (the ones that doesn't use key derivation) to the new one that signs using key derivation 2012-11-16 14:17:08 -05:00			`RUBY`

			`require "#{app_path}/config/environment"`

			`get '/foo/write_raw_session'`
			`get '/foo/read_session'`
			`assert_equal '1', last_response.body`

			`get '/foo/write_session'`
			`get '/foo/read_session'`
			`assert_equal '2', last_response.body`

			`get '/foo/read_encrypted_cookie'`
			`assert_equal '2', last_response.body`

			`secret = app.key_generator.generate_key('encrypted cookie')`
			`sign_secret = app.key_generator.generate_key('signed encrypted cookie')`
			`encryptor = ActiveSupport::MessageEncryptor.new(secret, sign_secret)`

			`get '/foo/read_raw_cookie'`
			`assert_equal 2, encryptor.decrypt_and_verify(last_response.body)['foo']`
			`end`
Allow transparent upgrading of legacy signed cookies to encrypted cookies; Automatically configure cookie-based sessions to use the best cookie jar given the app's config 2013-03-28 15:35:48 -04:00
			`test "session upgrading legacy signed cookies to new signed cookies" do`
			`app_file 'config/routes.rb', <<-RUBY`
Removing use of subclassed application constant and instead using the more agnostic Rails.application syntax. This means tests will be more portable, and won't rely on the existence of a particular subclass. 2013-06-03 23:57:01 -04:00			`Rails.application.routes.draw do`
Allow transparent upgrading of legacy signed cookies to encrypted cookies; Automatically configure cookie-based sessions to use the best cookie jar given the app's config 2013-03-28 15:35:48 -04:00			`get ':controller(/:action)'`
			`end`
			`RUBY`

			`controller :foo, <<-RUBY`
			`class FooController < ActionController::Base`
			`def write_raw_session`
			`# {"session_id"=>"1965d95720fffc123941bdfb7d2e6870", "foo"=>1}`
			`cookies[:_myapp_session] = "BAh7B0kiD3Nlc3Npb25faWQGOgZFRkkiJTE5NjVkOTU3MjBmZmZjMTIzOTQxYmRmYjdkMmU2ODcwBjsAVEkiCGZvbwY7AEZpBg==--315fb9931921a87ae7421aec96382f0294119749"`
			`render nothing: true`
			`end`

			`def write_session`
			`session[:foo] = session[:foo] + 1`
			`render nothing: true`
			`end`

			`def read_session`
			`render text: session[:foo]`
			`end`

			`def read_signed_cookie`
			`render text: cookies.signed[:_myapp_session]['foo']`
			`end`

			`def read_raw_cookie`
			`render text: cookies[:_myapp_session]`
			`end`
			`end`
			`RUBY`

			`add_to_config <<-RUBY`
`secret_token` is now saved in `Rails.application.secrets.secret_token` - `secrets.secret_token` is now used in all places `config.secret_token` was - `secrets.secret_token`, when not present in `config/secrets.yml`, now falls back to the value of `config.secret_token` - when `secrets.secret_token` is set, it over-writes `config.secret_token` so they are the same (for backwards-compatibility) - Update docs to reference app.secrets in all places - Remove references to `config.secret_token`, `config.secret_key_base` - Warn that missing secret_key_base is deprecated - Add tests for secret_token, key_generator, and message_verifier - the legacy key generator is used with the message verifier when secrets.secret_key_base is blank and secret_token is set - app.key_generator raises when neither secrets.secret_key_base nor secret_token are set - app.env_config raises when neither secrets.secret_key_base nor secret_token are set - Add changelog Run focused tests via ruby -w -Itest test/application/configuration_test.rb -n '/secret_\|key_/' 2014-10-27 13:04:37 -04:00			`secrets.secret_token = "3b7cd727ee24e8444053437c36cc66c4"`
Replace config.secret_key_base with secrets.secret_key_base in test 2013-12-12 11:07:31 -05:00			`secrets.secret_key_base = nil`
Allow transparent upgrading of legacy signed cookies to encrypted cookies; Automatically configure cookie-based sessions to use the best cookie jar given the app's config 2013-03-28 15:35:48 -04:00			`RUBY`

			`require "#{app_path}/config/environment"`

			`get '/foo/write_raw_session'`
			`get '/foo/read_session'`
			`assert_equal '1', last_response.body`

			`get '/foo/write_session'`
			`get '/foo/read_session'`
			`assert_equal '2', last_response.body`

			`get '/foo/read_signed_cookie'`
			`assert_equal '2', last_response.body`

`secret_token` is now saved in `Rails.application.secrets.secret_token` - `secrets.secret_token` is now used in all places `config.secret_token` was - `secrets.secret_token`, when not present in `config/secrets.yml`, now falls back to the value of `config.secret_token` - when `secrets.secret_token` is set, it over-writes `config.secret_token` so they are the same (for backwards-compatibility) - Update docs to reference app.secrets in all places - Remove references to `config.secret_token`, `config.secret_key_base` - Warn that missing secret_key_base is deprecated - Add tests for secret_token, key_generator, and message_verifier - the legacy key generator is used with the message verifier when secrets.secret_key_base is blank and secret_token is set - app.key_generator raises when neither secrets.secret_key_base nor secret_token are set - app.env_config raises when neither secrets.secret_key_base nor secret_token are set - Add changelog Run focused tests via ruby -w -Itest test/application/configuration_test.rb -n '/secret_\|key_/' 2014-10-27 13:04:37 -04:00			`verifier = ActiveSupport::MessageVerifier.new(app.secrets.secret_token)`
Allow transparent upgrading of legacy signed cookies to encrypted cookies; Automatically configure cookie-based sessions to use the best cookie jar given the app's config 2013-03-28 15:35:48 -04:00
			`get '/foo/read_raw_cookie'`
			`assert_equal 2, verifier.verify(last_response.body)['foo']`
			`end`
config.force_ssl should mark the session as secure. 2012-01-12 14:46:54 -05:00			`end`
			`end`