2008-01-05 08:32:06 -05:00
|
|
|
require 'abstract_unit'
|
2007-02-21 04:17:38 -05:00
|
|
|
require 'stringio'
|
2012-10-30 23:06:46 -04:00
|
|
|
require 'active_support/key_generator'
|
2007-02-21 04:17:38 -05:00
|
|
|
|
2010-09-24 20:15:52 -04:00
|
|
|
class CookieStoreTest < ActionDispatch::IntegrationTest
|
2008-12-15 17:33:31 -05:00
|
|
|
SessionKey = '_myapp_session'
|
|
|
|
SessionSecret = 'b3c631c314c0bbca50c1b2843150fe33'
|
2013-04-02 19:41:57 -04:00
|
|
|
Generator = ActiveSupport::LegacyKeyGenerator.new(SessionSecret)
|
2007-11-21 16:31:45 -05:00
|
|
|
|
2011-09-25 13:51:31 -04:00
|
|
|
Verifier = ActiveSupport::MessageVerifier.new(SessionSecret, :digest => 'SHA1')
|
2011-05-23 07:02:06 -04:00
|
|
|
SignedBar = Verifier.generate(:foo => "bar", :session_id => SecureRandom.hex(16))
|
2007-11-21 16:31:45 -05:00
|
|
|
|
2008-12-15 17:33:31 -05:00
|
|
|
class TestController < ActionController::Base
|
|
|
|
def no_session_access
|
|
|
|
head :ok
|
|
|
|
end
|
2007-02-21 04:17:38 -05:00
|
|
|
|
2008-12-18 12:33:53 -05:00
|
|
|
def persistent_session_id
|
|
|
|
render :text => session[:session_id]
|
|
|
|
end
|
|
|
|
|
2008-12-15 17:33:31 -05:00
|
|
|
def set_session_value
|
|
|
|
session[:foo] = "bar"
|
2009-02-13 21:08:43 -05:00
|
|
|
render :text => Rack::Utils.escape(Verifier.generate(session.to_hash))
|
2007-02-21 04:17:38 -05:00
|
|
|
end
|
|
|
|
|
2008-12-15 17:33:31 -05:00
|
|
|
def get_session_value
|
|
|
|
render :text => "foo: #{session[:foo].inspect}"
|
|
|
|
end
|
2007-02-21 04:17:38 -05:00
|
|
|
|
2009-02-07 00:15:39 -05:00
|
|
|
def get_session_id
|
2015-03-12 10:52:38 -04:00
|
|
|
render :text => "id: #{request.session.id}"
|
2009-02-07 00:15:39 -05:00
|
|
|
end
|
|
|
|
|
2012-09-07 19:00:28 -04:00
|
|
|
def get_class_after_reset_session
|
|
|
|
reset_session
|
|
|
|
render :text => "class: #{session.class}"
|
|
|
|
end
|
|
|
|
|
2010-07-01 18:04:33 -04:00
|
|
|
def call_session_clear
|
|
|
|
session.clear
|
|
|
|
head :ok
|
|
|
|
end
|
|
|
|
|
2008-12-20 15:37:51 -05:00
|
|
|
def call_reset_session
|
|
|
|
reset_session
|
|
|
|
head :ok
|
|
|
|
end
|
|
|
|
|
2008-12-15 17:33:31 -05:00
|
|
|
def raise_data_overflow
|
|
|
|
session[:foo] = 'bye!' * 1024
|
|
|
|
head :ok
|
|
|
|
end
|
2010-07-18 06:51:03 -04:00
|
|
|
|
|
|
|
def change_session_id
|
2015-03-12 10:52:38 -04:00
|
|
|
request.session.options[:id] = nil
|
2010-07-18 06:51:03 -04:00
|
|
|
get_session_id
|
|
|
|
end
|
|
|
|
|
2011-05-04 14:12:27 -04:00
|
|
|
def renew_session_id
|
|
|
|
request.session_options[:renew] = true
|
|
|
|
head :ok
|
|
|
|
end
|
2007-02-21 04:17:38 -05:00
|
|
|
end
|
|
|
|
|
2008-12-15 17:33:31 -05:00
|
|
|
def test_setting_session_value
|
|
|
|
with_test_route_set do
|
|
|
|
get '/set_session_value'
|
|
|
|
assert_response :success
|
2009-02-07 17:18:09 -05:00
|
|
|
assert_equal "_myapp_session=#{response.body}; path=/; HttpOnly",
|
2008-12-15 17:33:31 -05:00
|
|
|
headers['Set-Cookie']
|
2010-05-17 19:43:06 -04:00
|
|
|
end
|
2007-03-03 03:18:30 -05:00
|
|
|
end
|
|
|
|
|
2008-12-15 17:33:31 -05:00
|
|
|
def test_getting_session_value
|
|
|
|
with_test_route_set do
|
|
|
|
cookies[SessionKey] = SignedBar
|
|
|
|
get '/get_session_value'
|
|
|
|
assert_response :success
|
|
|
|
assert_equal 'foo: "bar"', response.body
|
2010-05-17 19:43:06 -04:00
|
|
|
end
|
2007-02-25 11:35:24 -05:00
|
|
|
end
|
|
|
|
|
2009-02-07 00:15:39 -05:00
|
|
|
def test_getting_session_id
|
|
|
|
with_test_route_set do
|
|
|
|
cookies[SessionKey] = SignedBar
|
|
|
|
get '/persistent_session_id'
|
|
|
|
assert_response :success
|
2014-08-18 02:29:21 -04:00
|
|
|
assert_equal 32, response.body.size
|
2009-02-07 00:15:39 -05:00
|
|
|
session_id = response.body
|
|
|
|
|
|
|
|
get '/get_session_id'
|
|
|
|
assert_response :success
|
2010-06-22 09:55:50 -04:00
|
|
|
assert_equal "id: #{session_id}", response.body, "should be able to read session id without accessing the session hash"
|
2009-02-07 00:15:39 -05:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2008-12-15 17:33:31 -05:00
|
|
|
def test_disregards_tampered_sessions
|
|
|
|
with_test_route_set do
|
|
|
|
cookies[SessionKey] = "BAh7BjoIZm9vIghiYXI%3D--123456780"
|
|
|
|
get '/get_session_value'
|
|
|
|
assert_response :success
|
|
|
|
assert_equal 'foo: nil', response.body
|
2007-03-03 03:18:30 -05:00
|
|
|
end
|
|
|
|
end
|
2010-09-24 20:15:52 -04:00
|
|
|
|
2010-09-13 17:29:25 -04:00
|
|
|
def test_does_not_set_secure_cookies_over_http
|
|
|
|
with_test_route_set(:secure => true) do
|
|
|
|
get '/set_session_value'
|
|
|
|
assert_response :success
|
|
|
|
assert_equal nil, headers['Set-Cookie']
|
|
|
|
end
|
|
|
|
end
|
2010-09-24 20:15:52 -04:00
|
|
|
|
2011-05-04 14:12:27 -04:00
|
|
|
def test_properly_renew_cookies
|
|
|
|
with_test_route_set do
|
|
|
|
get '/set_session_value'
|
|
|
|
get '/persistent_session_id'
|
|
|
|
session_id = response.body
|
|
|
|
get '/renew_session_id'
|
|
|
|
get '/persistent_session_id'
|
|
|
|
assert_not_equal response.body, session_id
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2010-09-13 17:29:25 -04:00
|
|
|
def test_does_set_secure_cookies_over_https
|
|
|
|
with_test_route_set(:secure => true) do
|
2015-01-29 09:19:41 -05:00
|
|
|
get '/set_session_value', headers: { 'HTTPS' => 'on' }
|
2010-09-13 17:29:25 -04:00
|
|
|
assert_response :success
|
|
|
|
assert_equal "_myapp_session=#{response.body}; path=/; secure; HttpOnly",
|
|
|
|
headers['Set-Cookie']
|
|
|
|
end
|
|
|
|
end
|
2007-03-03 03:18:30 -05:00
|
|
|
|
2010-06-27 14:35:31 -04:00
|
|
|
# {:foo=>#<SessionAutoloadTest::Foo bar:"baz">, :session_id=>"ce8b0752a6ab7c7af3cdb8a80e6b9e46"}
|
|
|
|
SignedSerializedCookie = "BAh7BzoIZm9vbzodU2Vzc2lvbkF1dG9sb2FkVGVzdDo6Rm9vBjoJQGJhciIIYmF6Og9zZXNzaW9uX2lkIiVjZThiMDc1MmE2YWI3YzdhZjNjZGI4YTgwZTZiOWU0Ng==--2bf3af1ae8bd4e52b9ac2099258ace0c380e601c"
|
|
|
|
|
|
|
|
def test_deserializes_unloaded_classes_on_get_id
|
|
|
|
with_test_route_set do
|
|
|
|
with_autoload_path "session_autoload_test" do
|
|
|
|
cookies[SessionKey] = SignedSerializedCookie
|
|
|
|
get '/get_session_id'
|
|
|
|
assert_response :success
|
|
|
|
assert_equal 'id: ce8b0752a6ab7c7af3cdb8a80e6b9e46', response.body, "should auto-load unloaded class"
|
|
|
|
end
|
|
|
|
end
|
2010-08-14 01:13:00 -04:00
|
|
|
end
|
|
|
|
|
2010-06-27 14:35:31 -04:00
|
|
|
def test_deserializes_unloaded_classes_on_get_value
|
|
|
|
with_test_route_set do
|
2010-08-14 01:13:00 -04:00
|
|
|
with_autoload_path "session_autoload_test" do
|
2010-06-27 14:35:31 -04:00
|
|
|
cookies[SessionKey] = SignedSerializedCookie
|
|
|
|
get '/get_session_value'
|
|
|
|
assert_response :success
|
|
|
|
assert_equal 'foo: #<SessionAutoloadTest::Foo bar:"baz">', response.body, "should auto-load unloaded class"
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2007-03-03 03:18:30 -05:00
|
|
|
def test_close_raises_when_data_overflows
|
2008-12-15 17:33:31 -05:00
|
|
|
with_test_route_set do
|
2010-05-17 19:43:06 -04:00
|
|
|
assert_raise(ActionDispatch::Cookies::CookieOverflow) {
|
2008-12-15 17:33:31 -05:00
|
|
|
get '/raise_data_overflow'
|
|
|
|
}
|
2008-09-16 12:22:11 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2008-12-15 17:33:31 -05:00
|
|
|
def test_doesnt_write_session_cookie_if_session_is_not_accessed
|
|
|
|
with_test_route_set do
|
|
|
|
get '/no_session_access'
|
|
|
|
assert_response :success
|
2010-01-16 18:21:46 -05:00
|
|
|
assert_equal nil, headers['Set-Cookie']
|
2008-09-16 12:22:11 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2008-12-15 17:33:31 -05:00
|
|
|
def test_doesnt_write_session_cookie_if_session_is_unchanged
|
|
|
|
with_test_route_set do
|
|
|
|
cookies[SessionKey] = "BAh7BjoIZm9vIghiYXI%3D--" +
|
|
|
|
"fef868465920f415f2c0652d6910d3af288a0367"
|
|
|
|
get '/no_session_access'
|
|
|
|
assert_response :success
|
2010-01-16 18:21:46 -05:00
|
|
|
assert_equal nil, headers['Set-Cookie']
|
2007-03-14 07:33:10 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2008-12-20 15:37:51 -05:00
|
|
|
def test_setting_session_value_after_session_reset
|
|
|
|
with_test_route_set do
|
|
|
|
get '/set_session_value'
|
|
|
|
assert_response :success
|
2008-12-25 07:10:28 -05:00
|
|
|
session_payload = response.body
|
2009-02-07 17:18:09 -05:00
|
|
|
assert_equal "_myapp_session=#{response.body}; path=/; HttpOnly",
|
2008-12-20 15:37:51 -05:00
|
|
|
headers['Set-Cookie']
|
|
|
|
|
|
|
|
get '/call_reset_session'
|
|
|
|
assert_response :success
|
|
|
|
assert_not_equal [], headers['Set-Cookie']
|
2012-09-07 19:00:28 -04:00
|
|
|
assert_not_nil session_payload
|
2008-12-20 15:37:51 -05:00
|
|
|
assert_not_equal session_payload, cookies[SessionKey]
|
|
|
|
|
|
|
|
get '/get_session_value'
|
|
|
|
assert_response :success
|
|
|
|
assert_equal 'foo: nil', response.body
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2012-09-07 19:00:28 -04:00
|
|
|
def test_class_type_after_session_reset
|
|
|
|
with_test_route_set do
|
|
|
|
get '/set_session_value'
|
|
|
|
assert_response :success
|
|
|
|
assert_equal "_myapp_session=#{response.body}; path=/; HttpOnly",
|
|
|
|
headers['Set-Cookie']
|
|
|
|
|
|
|
|
get '/get_class_after_reset_session'
|
|
|
|
assert_response :success
|
|
|
|
assert_not_equal [], headers['Set-Cookie']
|
|
|
|
assert_equal 'class: ActionDispatch::Request::Session', response.body
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2010-06-22 09:55:50 -04:00
|
|
|
def test_getting_from_nonexistent_session
|
|
|
|
with_test_route_set do
|
|
|
|
get '/get_session_value'
|
|
|
|
assert_response :success
|
|
|
|
assert_equal 'foo: nil', response.body
|
|
|
|
assert_nil headers['Set-Cookie'], "should only create session on write, not read"
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2010-07-01 18:04:33 -04:00
|
|
|
def test_setting_session_value_after_session_clear
|
|
|
|
with_test_route_set do
|
|
|
|
get '/set_session_value'
|
|
|
|
assert_response :success
|
|
|
|
assert_equal "_myapp_session=#{response.body}; path=/; HttpOnly",
|
|
|
|
headers['Set-Cookie']
|
|
|
|
|
|
|
|
get '/call_session_clear'
|
|
|
|
assert_response :success
|
|
|
|
|
|
|
|
get '/get_session_value'
|
|
|
|
assert_response :success
|
|
|
|
assert_equal 'foo: nil', response.body
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2008-12-18 12:33:53 -05:00
|
|
|
def test_persistent_session_id
|
|
|
|
with_test_route_set do
|
|
|
|
cookies[SessionKey] = SignedBar
|
|
|
|
get '/persistent_session_id'
|
|
|
|
assert_response :success
|
2014-08-18 02:29:21 -04:00
|
|
|
assert_equal 32, response.body.size
|
2008-12-18 12:33:53 -05:00
|
|
|
session_id = response.body
|
|
|
|
get '/persistent_session_id'
|
|
|
|
assert_equal session_id, response.body
|
|
|
|
reset!
|
|
|
|
get '/persistent_session_id'
|
|
|
|
assert_not_equal session_id, response.body
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2010-07-18 06:51:03 -04:00
|
|
|
def test_setting_session_id_to_nil_is_respected
|
|
|
|
with_test_route_set do
|
|
|
|
cookies[SessionKey] = SignedBar
|
|
|
|
|
|
|
|
get "/get_session_id"
|
|
|
|
sid = response.body
|
2014-08-18 02:29:21 -04:00
|
|
|
assert_equal 36, sid.size
|
2010-07-18 06:51:03 -04:00
|
|
|
|
|
|
|
get "/change_session_id"
|
|
|
|
assert_not_equal sid, response.body
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2009-01-28 00:05:07 -05:00
|
|
|
def test_session_store_with_expire_after
|
2009-09-26 13:56:53 -04:00
|
|
|
with_test_route_set(:expire_after => 5.hours) do
|
2009-01-28 00:05:07 -05:00
|
|
|
# First request accesses the session
|
|
|
|
time = Time.local(2008, 4, 24)
|
|
|
|
Time.stubs(:now).returns(time)
|
2013-01-10 22:34:52 -05:00
|
|
|
expected_expiry = (time + 5.hours).gmtime.strftime("%a, %d %b %Y %H:%M:%S -0000")
|
2009-01-28 00:05:07 -05:00
|
|
|
|
|
|
|
cookies[SessionKey] = SignedBar
|
|
|
|
|
|
|
|
get '/set_session_value'
|
|
|
|
assert_response :success
|
|
|
|
|
|
|
|
cookie_body = response.body
|
2009-04-13 18:18:45 -04:00
|
|
|
assert_equal "_myapp_session=#{cookie_body}; path=/; expires=#{expected_expiry}; HttpOnly",
|
|
|
|
headers['Set-Cookie']
|
2009-01-28 00:05:07 -05:00
|
|
|
|
|
|
|
# Second request does not access the session
|
|
|
|
time = Time.local(2008, 4, 25)
|
|
|
|
Time.stubs(:now).returns(time)
|
2013-01-10 22:34:52 -05:00
|
|
|
expected_expiry = (time + 5.hours).gmtime.strftime("%a, %d %b %Y %H:%M:%S -0000")
|
2009-01-28 00:05:07 -05:00
|
|
|
|
|
|
|
get '/no_session_access'
|
|
|
|
assert_response :success
|
|
|
|
|
2010-05-17 19:43:06 -04:00
|
|
|
assert_equal "_myapp_session=#{cookie_body}; path=/; expires=#{expected_expiry}; HttpOnly",
|
|
|
|
headers['Set-Cookie']
|
2009-01-28 00:05:07 -05:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2010-06-11 01:55:39 -04:00
|
|
|
def test_session_store_with_explicit_domain
|
|
|
|
with_test_route_set(:domain => "example.es") do
|
|
|
|
get '/set_session_value'
|
2010-09-22 15:03:39 -04:00
|
|
|
assert_match(/domain=example\.es/, headers['Set-Cookie'])
|
2010-06-11 01:55:39 -04:00
|
|
|
headers['Set-Cookie']
|
|
|
|
end
|
|
|
|
end
|
2010-06-11 03:21:12 -04:00
|
|
|
|
2010-08-14 01:13:00 -04:00
|
|
|
def test_session_store_without_domain
|
2010-06-11 01:55:39 -04:00
|
|
|
with_test_route_set do
|
|
|
|
get '/set_session_value'
|
2010-06-24 14:02:23 -04:00
|
|
|
assert_no_match(/domain\=/, headers['Set-Cookie'])
|
2010-06-11 01:55:39 -04:00
|
|
|
end
|
|
|
|
end
|
2010-06-11 03:21:12 -04:00
|
|
|
|
2010-06-11 01:55:39 -04:00
|
|
|
def test_session_store_with_nil_domain
|
|
|
|
with_test_route_set(:domain => nil) do
|
|
|
|
get '/set_session_value'
|
2010-06-24 14:02:23 -04:00
|
|
|
assert_no_match(/domain\=/, headers['Set-Cookie'])
|
2010-06-11 01:55:39 -04:00
|
|
|
end
|
|
|
|
end
|
2010-06-11 03:21:12 -04:00
|
|
|
|
2010-06-11 01:55:39 -04:00
|
|
|
def test_session_store_with_all_domains
|
|
|
|
with_test_route_set(:domain => :all) do
|
|
|
|
get '/set_session_value'
|
2010-06-24 14:02:23 -04:00
|
|
|
assert_match(/domain=\.example\.com/, headers['Set-Cookie'])
|
2010-06-11 01:55:39 -04:00
|
|
|
end
|
|
|
|
end
|
2010-06-11 03:21:12 -04:00
|
|
|
|
2007-02-21 04:17:38 -05:00
|
|
|
private
|
2010-05-17 19:43:06 -04:00
|
|
|
|
|
|
|
# Overwrite get to send SessionSecret in env hash
|
2015-01-04 04:35:06 -05:00
|
|
|
def get(path, *args)
|
|
|
|
args[0] ||= {}
|
|
|
|
args[0][:headers] ||= {}
|
|
|
|
args[0][:headers]["action_dispatch.key_generator"] ||= Generator
|
|
|
|
super(path, *args)
|
2010-05-17 19:43:06 -04:00
|
|
|
end
|
|
|
|
|
2009-09-26 13:56:53 -04:00
|
|
|
def with_test_route_set(options = {})
|
2008-12-15 17:33:31 -05:00
|
|
|
with_routing do |set|
|
2010-08-05 09:44:23 -04:00
|
|
|
set.draw do
|
2012-04-24 23:32:09 -04:00
|
|
|
get ':action', :to => ::CookieStoreTest::TestController
|
2008-12-15 17:33:31 -05:00
|
|
|
end
|
2010-05-17 19:43:06 -04:00
|
|
|
|
2010-05-17 21:18:23 -04:00
|
|
|
options = { :key => SessionKey }.merge!(options)
|
2010-05-17 19:43:06 -04:00
|
|
|
|
|
|
|
@app = self.class.build_app(set) do |middleware|
|
|
|
|
middleware.use ActionDispatch::Session::CookieStore, options
|
|
|
|
middleware.delete "ActionDispatch::ShowExceptions"
|
|
|
|
end
|
|
|
|
|
2008-12-15 17:33:31 -05:00
|
|
|
yield
|
2007-02-21 04:17:38 -05:00
|
|
|
end
|
|
|
|
end
|
2010-06-27 14:35:31 -04:00
|
|
|
|
2007-03-03 08:54:54 -05:00
|
|
|
end
|