rails--rails/actionpack/test/controller/session/cookie_store_test.rb

require 'abstract_unit'
require 'stringio'

class CookieStoreTest < ActionController::IntegrationTest
  SessionKey = '_myapp_session'
  SessionSecret = 'b3c631c314c0bbca50c1b2843150fe33'

  DispatcherApp = ActionController::Dispatcher.new
  CookieStoreApp = ActionController::Session::CookieStore.new(DispatcherApp,
                     :key => SessionKey, :secret => SessionSecret)

  Verifier = ActiveSupport::MessageVerifier.new(SessionSecret, 'SHA1')

  SignedBar = "BAh7BjoIZm9vIghiYXI%3D--" +
    "fef868465920f415f2c0652d6910d3af288a0367"

  class TestController < ActionController::Base
    def no_session_access
      head :ok
    end

    def persistent_session_id
      render :text => session[:session_id]
    end

    def set_session_value
      session[:foo] = "bar"
      render :text => Marshal.dump(session.to_hash)
    end

    def get_session_value
      render :text => "foo: #{session[:foo].inspect}"
    end

    def raise_data_overflow
      session[:foo] = 'bye!' * 1024
      head :ok
    end

    def rescue_action(e) raise end
  end

  def setup
    @integration_session = open_session(CookieStoreApp)
  end

  def test_raises_argument_error_if_missing_session_key
    assert_raise(ArgumentError, nil.inspect) {
      ActionController::Session::CookieStore.new(nil,
        :key => nil, :secret => SessionSecret)
    }

    assert_raise(ArgumentError, ''.inspect) {
      ActionController::Session::CookieStore.new(nil,
        :key => '', :secret => SessionSecret)
    }
  end

  def test_raises_argument_error_if_missing_secret
    assert_raise(ArgumentError, nil.inspect) {
      ActionController::Session::CookieStore.new(nil,
       :key => SessionKey, :secret => nil)
    }

    assert_raise(ArgumentError, ''.inspect) {
      ActionController::Session::CookieStore.new(nil,
       :key => SessionKey, :secret => '')
    }
  end

  def test_raises_argument_error_if_secret_is_probably_insecure
    assert_raise(ArgumentError, "password".inspect) {
      ActionController::Session::CookieStore.new(nil,
       :key => SessionKey, :secret => "password")
    }

    assert_raise(ArgumentError, "secret".inspect) {
      ActionController::Session::CookieStore.new(nil,
       :key => SessionKey, :secret => "secret")
    }

    assert_raise(ArgumentError, "12345678901234567890123456789".inspect) {
      ActionController::Session::CookieStore.new(nil,
       :key => SessionKey, :secret => "12345678901234567890123456789")
    }
  end

  def test_setting_session_value
    with_test_route_set do
      get '/set_session_value'
      assert_response :success
      session_payload = Verifier.generate( Marshal.load(response.body) )
      assert_equal ["_myapp_session=#{session_payload}; path=/"],
        headers['Set-Cookie']
   end
  end

  def test_getting_session_value
    with_test_route_set do
      cookies[SessionKey] = SignedBar
      get '/get_session_value'
      assert_response :success
      assert_equal 'foo: "bar"', response.body
   end
  end

  def test_disregards_tampered_sessions
    with_test_route_set do
      cookies[SessionKey] = "BAh7BjoIZm9vIghiYXI%3D--123456780"
      get '/get_session_value'
      assert_response :success
      assert_equal 'foo: nil', response.body
    end
  end

  def test_close_raises_when_data_overflows
    with_test_route_set do
      assert_raise(ActionController::Session::CookieStore::CookieOverflow) {
        get '/raise_data_overflow'
      }
    end
  end

  def test_doesnt_write_session_cookie_if_session_is_not_accessed
    with_test_route_set do
      get '/no_session_access'
      assert_response :success
      assert_equal [], headers['Set-Cookie']
    end
  end

  def test_doesnt_write_session_cookie_if_session_is_unchanged
    with_test_route_set do
      cookies[SessionKey] = "BAh7BjoIZm9vIghiYXI%3D--" +
        "fef868465920f415f2c0652d6910d3af288a0367"
      get '/no_session_access'
      assert_response :success
      assert_equal [], headers['Set-Cookie']
    end
  end

  def test_persistent_session_id
    with_test_route_set do
      cookies[SessionKey] = SignedBar
      get '/persistent_session_id'
      assert_response :success
      assert_equal response.body.size, 32
      session_id = response.body
      get '/persistent_session_id'
      assert_equal session_id, response.body
      reset!
      get '/persistent_session_id'
      assert_not_equal session_id, response.body
    end
  end

  private
    def with_test_route_set
      with_routing do |set|
        set.draw do |map|
          map.with_options :controller => "cookie_store_test/test" do |c|
            c.connect "/:action"
          end
        end
        yield
      end
    end
end
require abstract_unit directly since test is in load path git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8564 5ecf4fe2-1ee6-0310-87b1-e25e094e27de 2008-01-05 13:32:06 +00:00			`require 'abstract_unit'`
Introduce a cookie-based session store as the Rails default. Sessions typically contain at most a user_id and flash message; both fit within the 4K cookie size limit. A secure hash is included with the cookie to ensure data integrity (a user cannot alter his user_id without knowing the secret key included in the hash). If you have more than 4K of session data or don't want your data to be visible to the user, pick another session store. Cookie-based sessions are dramatically faster than the alternatives. git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@6184 5ecf4fe2-1ee6-0310-87b1-e25e094e27de 2007-02-21 09:17:38 +00:00			`require 'stringio'`

Switch to Rack based session stores. 2008-12-15 22:33:31 +00:00			`class CookieStoreTest < ActionController::IntegrationTest`
			`SessionKey = '_myapp_session'`
			`SessionSecret = 'b3c631c314c0bbca50c1b2843150fe33'`
Make sure that cookie sessions use a secret that is at least 30 chars in length. [Koz] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8184 5ecf4fe2-1ee6-0310-87b1-e25e094e27de 2007-11-21 21:31:45 +00:00
Switch to Rack based session stores. 2008-12-15 22:33:31 +00:00			`DispatcherApp = ActionController::Dispatcher.new`
			`CookieStoreApp = ActionController::Session::CookieStore.new(DispatcherApp,`
			`:key => SessionKey, :secret => SessionSecret)`
Make sure that cookie sessions use a secret that is at least 30 chars in length. [Koz] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8184 5ecf4fe2-1ee6-0310-87b1-e25e094e27de 2007-11-21 21:31:45 +00:00
Persistent session identifier support for CookieSessionStore and API compat. with the server side stores [#1591 state:resolved] Signed-off-by: Joshua Peek <josh@joshpeek.com> 2008-12-18 17:33:53 +00:00			`Verifier = ActiveSupport::MessageVerifier.new(SessionSecret, 'SHA1')`

Switch to Rack based session stores. 2008-12-15 22:33:31 +00:00			`SignedBar = "BAh7BjoIZm9vIghiYXI%3D--" +`
			`"fef868465920f415f2c0652d6910d3af288a0367"`
Make sure that cookie sessions use a secret that is at least 30 chars in length. [Koz] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8184 5ecf4fe2-1ee6-0310-87b1-e25e094e27de 2007-11-21 21:31:45 +00:00
Switch to Rack based session stores. 2008-12-15 22:33:31 +00:00			`class TestController < ActionController::Base`
			`def no_session_access`
			`head :ok`
			`end`
Introduce a cookie-based session store as the Rails default. Sessions typically contain at most a user_id and flash message; both fit within the 4K cookie size limit. A secure hash is included with the cookie to ensure data integrity (a user cannot alter his user_id without knowing the secret key included in the hash). If you have more than 4K of session data or don't want your data to be visible to the user, pick another session store. Cookie-based sessions are dramatically faster than the alternatives. git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@6184 5ecf4fe2-1ee6-0310-87b1-e25e094e27de 2007-02-21 09:17:38 +00:00
Persistent session identifier support for CookieSessionStore and API compat. with the server side stores [#1591 state:resolved] Signed-off-by: Joshua Peek <josh@joshpeek.com> 2008-12-18 17:33:53 +00:00			`def persistent_session_id`
			`render :text => session[:session_id]`
			`end`

Switch to Rack based session stores. 2008-12-15 22:33:31 +00:00			`def set_session_value`
			`session[:foo] = "bar"`
Persistent session identifier support for CookieSessionStore and API compat. with the server side stores [#1591 state:resolved] Signed-off-by: Joshua Peek <josh@joshpeek.com> 2008-12-18 17:33:53 +00:00			`render :text => Marshal.dump(session.to_hash)`
Introduce a cookie-based session store as the Rails default. Sessions typically contain at most a user_id and flash message; both fit within the 4K cookie size limit. A secure hash is included with the cookie to ensure data integrity (a user cannot alter his user_id without knowing the secret key included in the hash). If you have more than 4K of session data or don't want your data to be visible to the user, pick another session store. Cookie-based sessions are dramatically faster than the alternatives. git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@6184 5ecf4fe2-1ee6-0310-87b1-e25e094e27de 2007-02-21 09:17:38 +00:00			`end`

Switch to Rack based session stores. 2008-12-15 22:33:31 +00:00			`def get_session_value`
			`render :text => "foo: #{session[:foo].inspect}"`
			`end`
Introduce a cookie-based session store as the Rails default. Sessions typically contain at most a user_id and flash message; both fit within the 4K cookie size limit. A secure hash is included with the cookie to ensure data integrity (a user cannot alter his user_id without knowing the secret key included in the hash). If you have more than 4K of session data or don't want your data to be visible to the user, pick another session store. Cookie-based sessions are dramatically faster than the alternatives. git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@6184 5ecf4fe2-1ee6-0310-87b1-e25e094e27de 2007-02-21 09:17:38 +00:00
Switch to Rack based session stores. 2008-12-15 22:33:31 +00:00			`def raise_data_overflow`
			`session[:foo] = 'bye!' * 1024`
			`head :ok`
			`end`
Don't double-escape cookie store data. Don't split cookie values with newlines into an array. [#130 state:resolved] Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net> 2008-05-12 22:25:56 +00:00
Switch to Rack based session stores. 2008-12-15 22:33:31 +00:00			`def rescue_action(e) raise end`
Introduce a cookie-based session store as the Rails default. Sessions typically contain at most a user_id and flash message; both fit within the 4K cookie size limit. A secure hash is included with the cookie to ensure data integrity (a user cannot alter his user_id without knowing the secret key included in the hash). If you have more than 4K of session data or don't want your data to be visible to the user, pick another session store. Cookie-based sessions are dramatically faster than the alternatives. git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@6184 5ecf4fe2-1ee6-0310-87b1-e25e094e27de 2007-02-21 09:17:38 +00:00			`end`

			`def setup`
Switch to Rack based session stores. 2008-12-15 22:33:31 +00:00			`@integration_session = open_session(CookieStoreApp)`
Introduce a cookie-based session store as the Rails default. Sessions typically contain at most a user_id and flash message; both fit within the 4K cookie size limit. A secure hash is included with the cookie to ensure data integrity (a user cannot alter his user_id without knowing the secret key included in the hash). If you have more than 4K of session data or don't want your data to be visible to the user, pick another session store. Cookie-based sessions are dramatically faster than the alternatives. git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@6184 5ecf4fe2-1ee6-0310-87b1-e25e094e27de 2007-02-21 09:17:38 +00:00			`end`

Cookie session store: raise ArgumentError when :session_key is blank. git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@6415 5ecf4fe2-1ee6-0310-87b1-e25e094e27de 2007-03-13 20:44:16 +00:00			`def test_raises_argument_error_if_missing_session_key`
Switch to Rack based session stores. 2008-12-15 22:33:31 +00:00			`assert_raise(ArgumentError, nil.inspect) {`
			`ActionController::Session::CookieStore.new(nil,`
			`:key => nil, :secret => SessionSecret)`
			`}`

			`assert_raise(ArgumentError, ''.inspect) {`
			`ActionController::Session::CookieStore.new(nil,`
			`:key => '', :secret => SessionSecret)`
			`}`
Cookie session store: raise ArgumentError when :session_key is blank. git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@6415 5ecf4fe2-1ee6-0310-87b1-e25e094e27de 2007-03-13 20:44:16 +00:00			`end`

Introduce a cookie-based session store as the Rails default. Sessions typically contain at most a user_id and flash message; both fit within the 4K cookie size limit. A secure hash is included with the cookie to ensure data integrity (a user cannot alter his user_id without knowing the secret key included in the hash). If you have more than 4K of session data or don't want your data to be visible to the user, pick another session store. Cookie-based sessions are dramatically faster than the alternatives. git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@6184 5ecf4fe2-1ee6-0310-87b1-e25e094e27de 2007-02-21 09:17:38 +00:00			`def test_raises_argument_error_if_missing_secret`
Switch to Rack based session stores. 2008-12-15 22:33:31 +00:00			`assert_raise(ArgumentError, nil.inspect) {`
			`ActionController::Session::CookieStore.new(nil,`
			`:key => SessionKey, :secret => nil)`
			`}`
Introduce a cookie-based session store as the Rails default. Sessions typically contain at most a user_id and flash message; both fit within the 4K cookie size limit. A secure hash is included with the cookie to ensure data integrity (a user cannot alter his user_id without knowing the secret key included in the hash). If you have more than 4K of session data or don't want your data to be visible to the user, pick another session store. Cookie-based sessions are dramatically faster than the alternatives. git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@6184 5ecf4fe2-1ee6-0310-87b1-e25e094e27de 2007-02-21 09:17:38 +00:00
Switch to Rack based session stores. 2008-12-15 22:33:31 +00:00			`assert_raise(ArgumentError, ''.inspect) {`
			`ActionController::Session::CookieStore.new(nil,`
			`:key => SessionKey, :secret => '')`
			`}`
Make sure that cookie sessions use a secret that is at least 30 chars in length. [Koz] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8184 5ecf4fe2-1ee6-0310-87b1-e25e094e27de 2007-11-21 21:31:45 +00:00			`end`

Switch to Rack based session stores. 2008-12-15 22:33:31 +00:00			`def test_raises_argument_error_if_secret_is_probably_insecure`
			`assert_raise(ArgumentError, "password".inspect) {`
			`ActionController::Session::CookieStore.new(nil,`
			`:key => SessionKey, :secret => "password")`
			`}`
Introduce a cookie-based session store as the Rails default. Sessions typically contain at most a user_id and flash message; both fit within the 4K cookie size limit. A secure hash is included with the cookie to ensure data integrity (a user cannot alter his user_id without knowing the secret key included in the hash). If you have more than 4K of session data or don't want your data to be visible to the user, pick another session store. Cookie-based sessions are dramatically faster than the alternatives. git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@6184 5ecf4fe2-1ee6-0310-87b1-e25e094e27de 2007-02-21 09:17:38 +00:00
Switch to Rack based session stores. 2008-12-15 22:33:31 +00:00			`assert_raise(ArgumentError, "secret".inspect) {`
			`ActionController::Session::CookieStore.new(nil,`
			`:key => SessionKey, :secret => "secret")`
			`}`
Introduce a cookie-based session store as the Rails default. Sessions typically contain at most a user_id and flash message; both fit within the 4K cookie size limit. A secure hash is included with the cookie to ensure data integrity (a user cannot alter his user_id without knowing the secret key included in the hash). If you have more than 4K of session data or don't want your data to be visible to the user, pick another session store. Cookie-based sessions are dramatically faster than the alternatives. git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@6184 5ecf4fe2-1ee6-0310-87b1-e25e094e27de 2007-02-21 09:17:38 +00:00
Switch to Rack based session stores. 2008-12-15 22:33:31 +00:00			`assert_raise(ArgumentError, "12345678901234567890123456789".inspect) {`
			`ActionController::Session::CookieStore.new(nil,`
			`:key => SessionKey, :secret => "12345678901234567890123456789")`
			`}`
Introduce a cookie-based session store as the Rails default. Sessions typically contain at most a user_id and flash message; both fit within the 4K cookie size limit. A secure hash is included with the cookie to ensure data integrity (a user cannot alter his user_id without knowing the secret key included in the hash). If you have more than 4K of session data or don't want your data to be visible to the user, pick another session store. Cookie-based sessions are dramatically faster than the alternatives. git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@6184 5ecf4fe2-1ee6-0310-87b1-e25e094e27de 2007-02-21 09:17:38 +00:00			`end`

Switch to Rack based session stores. 2008-12-15 22:33:31 +00:00			`def test_setting_session_value`
			`with_test_route_set do`
			`get '/set_session_value'`
			`assert_response :success`
Persistent session identifier support for CookieSessionStore and API compat. with the server side stores [#1591 state:resolved] Signed-off-by: Joshua Peek <josh@joshpeek.com> 2008-12-18 17:33:53 +00:00			`session_payload = Verifier.generate( Marshal.load(response.body) )`
			`assert_equal ["_myapp_session=#{session_payload}; path=/"],`
Switch to Rack based session stores. 2008-12-15 22:33:31 +00:00			`headers['Set-Cookie']`
			`end`
Cookie store: test that >4K raises CookieOverflow and that unverifiable cookies are automatically deleted. git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@6294 5ecf4fe2-1ee6-0310-87b1-e25e094e27de 2007-03-03 08:18:30 +00:00			`end`

Switch to Rack based session stores. 2008-12-15 22:33:31 +00:00			`def test_getting_session_value`
			`with_test_route_set do`
			`cookies[SessionKey] = SignedBar`
			`get '/get_session_value'`
			`assert_response :success`
			`assert_equal 'foo: "bar"', response.body`
			`end`
Cookie session store: empty and unchanged sessions don't write a cookie. git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@6226 5ecf4fe2-1ee6-0310-87b1-e25e094e27de 2007-02-25 16:35:24 +00:00			`end`

Switch to Rack based session stores. 2008-12-15 22:33:31 +00:00			`def test_disregards_tampered_sessions`
			`with_test_route_set do`
			`cookies[SessionKey] = "BAh7BjoIZm9vIghiYXI%3D--123456780"`
			`get '/get_session_value'`
			`assert_response :success`
			`assert_equal 'foo: nil', response.body`
Cookie store: test that >4K raises CookieOverflow and that unverifiable cookies are automatically deleted. git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@6294 5ecf4fe2-1ee6-0310-87b1-e25e094e27de 2007-03-03 08:18:30 +00:00			`end`
			`end`

			`def test_close_raises_when_data_overflows`
Switch to Rack based session stores. 2008-12-15 22:33:31 +00:00			`with_test_route_set do`
			`assert_raise(ActionController::Session::CookieStore::CookieOverflow) {`
			`get '/raise_data_overflow'`
			`}`
Added support for http_only cookies in cookie_store Added unit tests for secure and http_only cookies in cookie_store Signed-off-by: Michael Koziarski <michael@koziarski.com> [#1046 state:committed] 2008-09-16 16:22:11 +00:00			`end`
			`end`

Switch to Rack based session stores. 2008-12-15 22:33:31 +00:00			`def test_doesnt_write_session_cookie_if_session_is_not_accessed`
			`with_test_route_set do`
			`get '/no_session_access'`
			`assert_response :success`
			`assert_equal [], headers['Set-Cookie']`
Added support for http_only cookies in cookie_store Added unit tests for secure and http_only cookies in cookie_store Signed-off-by: Michael Koziarski <michael@koziarski.com> [#1046 state:committed] 2008-09-16 16:22:11 +00:00			`end`
			`end`

Switch to Rack based session stores. 2008-12-15 22:33:31 +00:00			`def test_doesnt_write_session_cookie_if_session_is_unchanged`
			`with_test_route_set do`
			`cookies[SessionKey] = "BAh7BjoIZm9vIghiYXI%3D--" +`
			`"fef868465920f415f2c0652d6910d3af288a0367"`
			`get '/no_session_access'`
			`assert_response :success`
			`assert_equal [], headers['Set-Cookie']`
Cookie session store: ensure that new sessions doesn't reuse data from a deleted session in the same request. git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@6424 5ecf4fe2-1ee6-0310-87b1-e25e094e27de 2007-03-14 11:33:10 +00:00			`end`
			`end`

Persistent session identifier support for CookieSessionStore and API compat. with the server side stores [#1591 state:resolved] Signed-off-by: Joshua Peek <josh@joshpeek.com> 2008-12-18 17:33:53 +00:00			`def test_persistent_session_id`
			`with_test_route_set do`
			`cookies[SessionKey] = SignedBar`
			`get '/persistent_session_id'`
			`assert_response :success`
			`assert_equal response.body.size, 32`
			`session_id = response.body`
			`get '/persistent_session_id'`
			`assert_equal session_id, response.body`
			`reset!`
			`get '/persistent_session_id'`
			`assert_not_equal session_id, response.body`
			`end`
			`end`

Introduce a cookie-based session store as the Rails default. Sessions typically contain at most a user_id and flash message; both fit within the 4K cookie size limit. A secure hash is included with the cookie to ensure data integrity (a user cannot alter his user_id without knowing the secret key included in the hash). If you have more than 4K of session data or don't want your data to be visible to the user, pick another session store. Cookie-based sessions are dramatically faster than the alternatives. git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@6184 5ecf4fe2-1ee6-0310-87b1-e25e094e27de 2007-02-21 09:17:38 +00:00			`private`
Switch to Rack based session stores. 2008-12-15 22:33:31 +00:00			`def with_test_route_set`
			`with_routing do \|set\|`
			`set.draw do \|map\|`
			`map.with_options :controller => "cookie_store_test/test" do \|c\|`
			`c.connect "/:action"`
			`end`
			`end`
			`yield`
Introduce a cookie-based session store as the Rails default. Sessions typically contain at most a user_id and flash message; both fit within the 4K cookie size limit. A secure hash is included with the cookie to ensure data integrity (a user cannot alter his user_id without knowing the secret key included in the hash). If you have more than 4K of session data or don't want your data to be visible to the user, pick another session store. Cookie-based sessions are dramatically faster than the alternatives. git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@6184 5ecf4fe2-1ee6-0310-87b1-e25e094e27de 2007-02-21 09:17:38 +00:00			`end`
			`end`
Cookie store: use OpenSSL::HMAC instead of basic hash. Introduce :secret block and :digest option. git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@6296 5ecf4fe2-1ee6-0310-87b1-e25e094e27de 2007-03-03 13:54:54 +00:00			`end`