diff --git a/rack-protection/lib/rack/protection/session_hijacking.rb b/rack-protection/lib/rack/protection/session_hijacking.rb index b6738ffe..4ab047a1 100644 --- a/rack-protection/lib/rack/protection/session_hijacking.rb +++ b/rack-protection/lib/rack/protection/session_hijacking.rb @@ -9,12 +9,12 @@ module Rack # # Tracks request properties like the user agent in the session and empties # the session if those properties change. This essentially prevents attacks - # from Firesheep. Since all headers taken into consideration might be - # spoofed, too, this will not prevent all hijacking attempts. + # from Firesheep. Since all headers taken into consideration can be + # spoofed, too, this will not prevent determined hijacking attempts. class SessionHijacking < Base default_reaction :drop_session default_options :tracking_key => :tracking, :encrypt_tracking => true, - :track => %w[HTTP_USER_AGENT HTTP_ACCEPT_ENCODING HTTP_ACCEPT_LANGUAGE] + :track => %w[HTTP_USER_AGENT HTTP_ACCEPT_LANGUAGE] def accepts?(env) session = session env diff --git a/rack-protection/spec/session_hijacking_spec.rb b/rack-protection/spec/session_hijacking_spec.rb index 1692aa9e..21cd13fd 100644 --- a/rack-protection/spec/session_hijacking_spec.rb +++ b/rack-protection/spec/session_hijacking_spec.rb @@ -17,11 +17,12 @@ describe Rack::Protection::SessionHijacking do session.should be_empty end - it "denies requests with a changing Accept-Encoding header" do + it "accepts requests with a changing Accept-Encoding header" do + # this is tested because previously it led to clearing the session session = {:foo => :bar} get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_ENCODING' => 'a' get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_ENCODING' => 'b' - session.should be_empty + session.should_not be_empty end it "denies requests with a changing Accept-Language header" do