From 2585e42ea5a35fb88b7e1a1f5e4aee0d4f60774d Mon Sep 17 00:00:00 2001 From: Pelle Braendgaard Date: Sun, 14 Sep 2008 20:26:51 -0700 Subject: [PATCH] Added support for http_only cookies in cookie_store --- actionpack/lib/action_controller/cgi_process.rb | 3 ++- .../lib/action_controller/session/cookie_store.rb | 3 ++- .../lib/action_controller/session_management.rb | 4 ++++ 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/actionpack/lib/action_controller/cgi_process.rb b/actionpack/lib/action_controller/cgi_process.rb index d381af1..fabacd9 100644 --- a/actionpack/lib/action_controller/cgi_process.rb +++ b/actionpack/lib/action_controller/cgi_process.rb @@ -42,7 +42,8 @@ module ActionController #:nodoc: :prefix => "ruby_sess.", # prefix session file names :session_path => "/", # available to all paths in app :session_key => "_session_id", - :cookie_only => true + :cookie_only => true, + :session_http_only=> true } def initialize(cgi, session_options = {}) diff --git a/actionpack/lib/action_controller/session/cookie_store.rb b/actionpack/lib/action_controller/session/cookie_store.rb index 5bf7503..f2fb200 100644 --- a/actionpack/lib/action_controller/session/cookie_store.rb +++ b/actionpack/lib/action_controller/session/cookie_store.rb @@ -70,7 +70,8 @@ class CGI::Session::CookieStore 'path' => options['session_path'], 'domain' => options['session_domain'], 'expires' => options['session_expires'], - 'secure' => options['session_secure'] + 'secure' => options['session_secure'], + 'http_only' => options['session_http_only'] } # Set no_hidden and no_cookies since the session id is unused and we diff --git a/actionpack/lib/action_controller/session_management.rb b/actionpack/lib/action_controller/session_management.rb index f5a1155..fd3d94e 100644 --- a/actionpack/lib/action_controller/session_management.rb +++ b/actionpack/lib/action_controller/session_management.rb @@ -60,6 +60,10 @@ module ActionController #:nodoc: # # the session will only work over HTTPS, but only for the foo action # session :only => :foo, :session_secure => true # + # # the session by default uses HttpOnly sessions for security reasons. + # # this can be switched off. + # session :only => :foo, :session_http_only => false + # # # the session will only be disabled for 'foo', and only if it is # # requested as a web service # session :off, :only => :foo, -- 1.5.5.3 From 60ca39cc5732f965bc5c01d0eae07f419d401358 Mon Sep 17 00:00:00 2001 From: Pelle Braendgaard Date: Mon, 15 Sep 2008 12:05:00 -0700 Subject: [PATCH] Added http_only as default to rack_process Added unit tests for secure and http_only cookies to cookie_store --- actionpack/lib/action_controller/rack_process.rb | 3 +- .../test/controller/session/cookie_store_test.rb | 53 +++++++++++++++++++- 2 files changed, 54 insertions(+), 2 deletions(-) diff --git a/actionpack/lib/action_controller/rack_process.rb b/actionpack/lib/action_controller/rack_process.rb index 1ace16d..e8ea370 100644 --- a/actionpack/lib/action_controller/rack_process.rb +++ b/actionpack/lib/action_controller/rack_process.rb @@ -14,7 +14,8 @@ module ActionController #:nodoc: :prefix => "ruby_sess.", # prefix session file names :session_path => "/", # available to all paths in app :session_key => "_session_id", - :cookie_only => true + :cookie_only => true, + :session_http_only=> true } def initialize(env, session_options = DEFAULT_SESSION_OPTIONS) diff --git a/actionpack/test/controller/session/cookie_store_test.rb b/actionpack/test/controller/session/cookie_store_test.rb index 5adaeaf..5e3ecbf 100644 --- a/actionpack/test/controller/session/cookie_store_test.rb +++ b/actionpack/test/controller/session/cookie_store_test.rb @@ -36,7 +36,9 @@ class CookieStoreTest < Test::Unit::TestCase 'session_key' => '_myapp_session', 'secret' => 'Keep it secret; keep it safe.', 'no_cookies' => true, - 'no_hidden' => true } + 'no_hidden' => true, + 'session_http_only' => true + } end def self.cookies @@ -149,6 +151,48 @@ class CookieStoreTest < Test::Unit::TestCase assert_equal 1, session.cgi.output_cookies.size cookie = session.cgi.output_cookies.first assert_cookie cookie, cookie_value(:flashed) + assert_http_only_cookie cookie + assert_secure_cookie cookie, false + end + end + + def test_writes_non_secure_cookie_by_default + set_cookie! cookie_value(:typical) + new_session do |session| + session['flash'] = {} + session.close + cookie = session.cgi.output_cookies.first + assert_secure_cookie cookie,false + end + end + + def test_writes_secure_cookie + set_cookie! cookie_value(:typical) + new_session('session_secure'=>true) do |session| + session['flash'] = {} + session.close + cookie = session.cgi.output_cookies.first + assert_secure_cookie cookie + end + end + + def test_http_only_cookie_by_default + set_cookie! cookie_value(:typical) + new_session do |session| + session['flash'] = {} + session.close + cookie = session.cgi.output_cookies.first + assert_http_only_cookie cookie + end + end + + def test_overides_http_only_cookie + set_cookie! cookie_value(:typical) + new_session('session_http_only'=>false) do |session| + session['flash'] = {} + session.close + cookie = session.cgi.output_cookies.first + assert_http_only_cookie cookie, false end end @@ -195,6 +239,13 @@ class CookieStoreTest < Test::Unit::TestCase assert_equal expires, cookie.expires ? cookie.expires.to_date : cookie.expires, message end + def assert_secure_cookie(cookie,value=true) + assert cookie.secure==value + end + + def assert_http_only_cookie(cookie,value=true) + assert cookie.http_only==value + end def cookies(*which) self.class.cookies.values_at(*which) diff --git a/actionpack/test/controller/session_management_test.rb b/actionpack/test/controller/session_management_test.rb index 592b0b5..e929426 100644 -- 1.5.5.3