require 'sinatra' require 'sinatra/contrib' require 'ap' set :protection, except: :session_hijacking enable :sessions def logged_in? cookies[:success] == 'true' end get '/' do cookies[:success] ||= false if logged_in? <<-HTML Hi there logged-in user! HTML else redirect '/login' end end get '/login' do cookies[:you_need_to] = 'preserve this' <<-HTML
HTML end get '/javascript_login' do cookies[:you_need_to] = 'preserve this' <<-HTML HTML end get '/disappearing_login' do @@visited ||= 0 @@visited += 1 next if @@visited < 5 cookies[:you_need_to] = 'preserve this' <<-HTML HTML end get '/multiple' do <<-HTML HTML end post '/login' do if params['username'] == 'john' && params['password'] == 'doe' && params['token'] == 'secret!' cookies[:success] = true redirect '/' else 'Boohoo...' end end get '/with_nonce' do session[:success] ||= false cookies['session_cookie'] = 'blah' response.set_cookie( 'non_session', value: 'value_of_cookie', expires: Time.now ) if session[:success] <<-HTML Hi there logged-in user! HTML else redirect '/nonce_login' end end get '/nonce_login' do session[:nonce] = rand( 999 ).to_s <<-HTML HTML end post '/nonce_login' do if params['username'] == 'nonce_john' && params['password'] == 'nonce_doe' && params['token'] == session[:nonce] session[:success] = true redirect '/with_nonce' else 'Boohoo...' end end get '/congrats' do <<-EOHTML Congrats, get to the audit! EOHTML end