test/spec_session_cookie.rb in rack-1.4.0 vs test/spec_session_cookie.rb in rack-1.4.1
- old
+ new
@@ -121,10 +121,14 @@
it "survives broken cookies" do
res = Rack::MockRequest.new(Rack::Session::Cookie.new(incrementor)).
get("/", "HTTP_COOKIE" => "rack.session=blarghfasel")
res.body.should.equal '{"counter"=>1}'
+
+ app = Rack::Session::Cookie.new(incrementor, :secret => 'test')
+ res = Rack::MockRequest.new(app).get("/", "HTTP_COOKIE" => "rack.session=")
+ res.body.should.equal '{"counter"=>1}'
end
bigcookie = lambda do |env|
env["rack.session"]["cookie"] = "big" * 3000
Rack::Response.new(env["rack.session"].inspect).to_a
@@ -135,20 +139,23 @@
Rack::MockRequest.new(Rack::Session::Cookie.new(bigcookie)).
get("/", :fatal => true)
}.should.raise(Rack::MockRequest::FatalWarning)
end
- it "loads from a cookie wih integrity hash" do
+ it "loads from a cookie with integrity hash" do
res = Rack::MockRequest.new(Rack::Session::Cookie.new(incrementor, :secret => 'test')).get("/")
cookie = res["Set-Cookie"]
res = Rack::MockRequest.new(Rack::Session::Cookie.new(incrementor, :secret => 'test')).
get("/", "HTTP_COOKIE" => cookie)
res.body.should.equal '{"counter"=>2}'
cookie = res["Set-Cookie"]
res = Rack::MockRequest.new(Rack::Session::Cookie.new(incrementor, :secret => 'test')).
get("/", "HTTP_COOKIE" => cookie)
res.body.should.equal '{"counter"=>3}'
+ res = Rack::MockRequest.new(Rack::Session::Cookie.new(incrementor, :secret => 'other')).
+ get("/", "HTTP_COOKIE" => cookie)
+ res.body.should.equal '{"counter"=>1}'
end
it "loads from a cookie wih accept-only integrity hash for graceful key rotation" do
res = Rack::MockRequest.new(Rack::Session::Cookie.new(incrementor, :secret => 'test')).get("/")
cookie = res["Set-Cookie"]
@@ -163,20 +170,35 @@
it "ignores tampered with session cookies" do
app = Rack::Session::Cookie.new(incrementor, :secret => 'test')
response1 = Rack::MockRequest.new(app).get("/")
response1.body.should.equal '{"counter"=>1}'
+ response1 = Rack::MockRequest.new(app).get("/", "HTTP_COOKIE" => response1["Set-Cookie"])
+ response1.body.should.equal '{"counter"=>2}'
_, digest = response1["Set-Cookie"].split("--")
tampered_with_cookie = "hackerman-was-here" + "--" + digest
response2 = Rack::MockRequest.new(app).get("/", "HTTP_COOKIE" =>
tampered_with_cookie)
- # Tampared cookie was ignored. Counter is back to 1.
+ # Tampered cookie was ignored. Counter is back to 1.
response2.body.should.equal '{"counter"=>1}'
end
+ it "supports either of secret or old_secret" do
+ app = Rack::Session::Cookie.new(incrementor, :secret => 'test')
+ res = Rack::MockRequest.new(app).get("/")
+ res.body.should.equal '{"counter"=>1}'
+ res = Rack::MockRequest.new(app).get("/", "HTTP_COOKIE" => res["Set-Cookie"])
+ res.body.should.equal '{"counter"=>2}'
+ app = Rack::Session::Cookie.new(incrementor, :old_secret => 'test')
+ res = Rack::MockRequest.new(app).get("/")
+ res.body.should.equal '{"counter"=>1}'
+ res = Rack::MockRequest.new(app).get("/", "HTTP_COOKIE" => res["Set-Cookie"])
+ res.body.should.equal '{"counter"=>2}'
+ end
+
describe "1.9 bugs relating to inspecting yet-to-be-loaded from cookie data: Rack::Session::Abstract::SessionHash" do
it "can handle Rack::Lint middleware" do
app = Rack::Session::Cookie.new(incrementor)
res = Rack::MockRequest.new(app).get("/")
@@ -223,9 +245,10 @@
res = Rack::MockRequest.new(app).get("/")
res["Set-Cookie"].should.be.nil
res = Rack::MockRequest.new(app).get("/", "HTTPS" => "on")
res["Set-Cookie"].should.not.be.nil
+ res["Set-Cookie"].should.match(/secure/)
end
it "does not return a cookie if cookie was not read/written" do
app = Rack::Session::Cookie.new(nothing)
res = Rack::MockRequest.new(app).get("/")