diff options
Diffstat (limited to 'actionpack/test/controller/session')
3 files changed, 72 insertions, 18 deletions
diff --git a/actionpack/test/controller/session/cookie_store_test.rb b/actionpack/test/controller/session/cookie_store_test.rb index b48a8c3830..9b3f9afb0d 100644 --- a/actionpack/test/controller/session/cookie_store_test.rb +++ b/actionpack/test/controller/session/cookie_store_test.rb @@ -24,13 +24,17 @@ class CookieStoreTest < ActionController::IntegrationTest def set_session_value session[:foo] = "bar" - render :text => Verifier.generate(session.to_hash) + render :text => Rack::Utils.escape(Verifier.generate(session.to_hash)) end def get_session_value render :text => "foo: #{session[:foo].inspect}" end + def get_session_id + render :text => "foo: #{session[:foo].inspect}; id: #{request.session_options[:id]}" + end + def call_reset_session reset_session head :ok @@ -93,7 +97,7 @@ class CookieStoreTest < ActionController::IntegrationTest with_test_route_set do get '/set_session_value' assert_response :success - assert_equal ["_myapp_session=#{response.body}; path=/; httponly"], + assert_equal "_myapp_session=#{response.body}; path=/; HttpOnly", headers['Set-Cookie'] end end @@ -107,6 +111,20 @@ class CookieStoreTest < ActionController::IntegrationTest end end + def test_getting_session_id + with_test_route_set do + cookies[SessionKey] = SignedBar + get '/persistent_session_id' + assert_response :success + assert_equal response.body.size, 32 + session_id = response.body + + get '/get_session_id' + assert_response :success + assert_equal "foo: \"bar\"; id: #{session_id}", response.body + end + end + def test_disregards_tampered_sessions with_test_route_set do cookies[SessionKey] = "BAh7BjoIZm9vIghiYXI%3D--123456780" @@ -128,7 +146,7 @@ class CookieStoreTest < ActionController::IntegrationTest with_test_route_set do get '/no_session_access' assert_response :success - assert_equal [], headers['Set-Cookie'] + assert_equal "", headers['Set-Cookie'] end end @@ -138,7 +156,7 @@ class CookieStoreTest < ActionController::IntegrationTest "fef868465920f415f2c0652d6910d3af288a0367" get '/no_session_access' assert_response :success - assert_equal [], headers['Set-Cookie'] + assert_equal "", headers['Set-Cookie'] end end @@ -147,7 +165,7 @@ class CookieStoreTest < ActionController::IntegrationTest get '/set_session_value' assert_response :success session_payload = response.body - assert_equal ["_myapp_session=#{response.body}; path=/; httponly"], + assert_equal "_myapp_session=#{response.body}; path=/; HttpOnly", headers['Set-Cookie'] get '/call_reset_session' @@ -192,7 +210,8 @@ class CookieStoreTest < ActionController::IntegrationTest assert_response :success cookie_body = response.body - assert_equal ["_myapp_session=#{cookie_body}; path=/; expires=#{expected_expiry}; httponly"], headers['Set-Cookie'] + assert_equal "_myapp_session=#{cookie_body}; path=/; expires=#{expected_expiry}; HttpOnly", + headers['Set-Cookie'] # Second request does not access the session time = Time.local(2008, 4, 25) @@ -202,7 +221,8 @@ class CookieStoreTest < ActionController::IntegrationTest get '/no_session_access' assert_response :success - assert_equal ["_myapp_session=#{cookie_body}; path=/; expires=#{expected_expiry}; httponly"], headers['Set-Cookie'] + assert_equal "_myapp_session=#{cookie_body}; path=/; expires=#{expected_expiry}; HttpOnly", + headers['Set-Cookie'] end end @@ -217,4 +237,13 @@ class CookieStoreTest < ActionController::IntegrationTest yield end end + + def unmarshal_session(cookie_string) + session = Rack::Utils.parse_query(cookie_string, ';,').inject({}) {|h,(k,v)| + h[k] = Array === v ? v.first : v + h + }[SessionKey] + verifier = ActiveSupport::MessageVerifier.new(SessionSecret, 'SHA1') + verifier.verify(session) + end end diff --git a/actionpack/test/controller/session/mem_cache_store_test.rb b/actionpack/test/controller/session/mem_cache_store_test.rb index 2e2bf79148..7561c93e4a 100644 --- a/actionpack/test/controller/session/mem_cache_store_test.rb +++ b/actionpack/test/controller/session/mem_cache_store_test.rb @@ -16,8 +16,15 @@ class MemCacheStoreTest < ActionController::IntegrationTest render :text => "foo: #{session[:foo].inspect}" end + def get_session_id + session[:foo] + render :text => "#{request.session_options[:id]}" + end + def call_reset_session + session[:bar] reset_session + session[:bar] = "baz" head :ok end @@ -50,38 +57,56 @@ class MemCacheStoreTest < ActionController::IntegrationTest with_test_route_set do get '/get_session_value' assert_response :success - assert_equal 'foo: nil', response.body + assert_equal 'foo: nil', response.body end end - def test_prevents_session_fixation + def test_setting_session_value_after_session_reset with_test_route_set do - get '/get_session_value' + get '/set_session_value' assert_response :success - assert_equal 'foo: nil', response.body + assert cookies['_session_id'] session_id = cookies['_session_id'] - reset! + get '/call_reset_session' + assert_response :success + assert_not_equal [], headers['Set-Cookie'] - get '/set_session_value', :_session_id => session_id + get '/get_session_value' assert_response :success - assert_equal nil, cookies['_session_id'] + assert_equal 'foo: nil', response.body + + get '/get_session_id' + assert_response :success + assert_not_equal session_id, response.body end end - def test_setting_session_value_after_session_reset + def test_getting_session_id with_test_route_set do get '/set_session_value' assert_response :success assert cookies['_session_id'] + session_id = cookies['_session_id'] - get '/call_reset_session' + get '/get_session_id' assert_response :success - assert_not_equal [], headers['Set-Cookie'] + assert_equal session_id, response.body + end + end + def test_prevents_session_fixation + with_test_route_set do get '/get_session_value' assert_response :success assert_equal 'foo: nil', response.body + session_id = cookies['_session_id'] + + reset! + + get '/set_session_value', :_session_id => session_id + assert_response :success + assert_equal nil, cookies['_session_id'] end end rescue LoadError, RuntimeError diff --git a/actionpack/test/controller/session/test_session_test.rb b/actionpack/test/controller/session/test_session_test.rb index 83103be3ec..de6539e1cc 100644 --- a/actionpack/test/controller/session/test_session_test.rb +++ b/actionpack/test/controller/session/test_session_test.rb @@ -33,7 +33,7 @@ class ActionController::TestSessionTest < ActiveSupport::TestCase assert_equal('value', session[:key]) end - def test_calling_delete_removes item + def test_calling_delete_removes_item session = ActionController::TestSession.new session[:key] = 'value' assert_equal('value', session[:key]) |