1 require 'abstract_unit'
4 class CookieStoreTest
< ActionController
::IntegrationTest
5 SessionKey
= '_myapp_session'
6 SessionSecret
= 'b3c631c314c0bbca50c1b2843150fe33'
8 DispatcherApp
= ActionController
::Dispatcher.new
9 CookieStoreApp
= ActionController
::Session::CookieStore.new(DispatcherApp
, :key => SessionKey
, :secret => SessionSecret
)
11 Verifier
= ActiveSupport
::MessageVerifier.new(SessionSecret
, 'SHA1')
13 SignedBar
= "BAh7BjoIZm9vIghiYXI%3D--fef868465920f415f2c0652d6910d3af288a0367"
15 class TestController
< ActionController
::Base
20 def persistent_session_id
21 render
:text => session
[:session_id]
26 render
:text => Rack
::Utils.escape(Verifier
.generate(session
.to_hash
))
30 render
:text => "foo: #{session[:foo].inspect}"
34 render
:text => "foo: #{session[:foo].inspect}; id: #{request.session_options[:id]}"
37 def call_reset_session
42 def raise_data_overflow
43 session
[:foo] = 'bye!' * 1024
47 def rescue_action(e
) raise end
51 @integration_session = open_session(CookieStoreApp
)
54 def test_raises_argument_error_if_missing_session_key
55 assert_raise(ArgumentError
, nil.inspect
) {
56 ActionController
::Session::CookieStore.new(nil,
57 :key => nil, :secret => SessionSecret
)
60 assert_raise(ArgumentError
, ''.inspect
) {
61 ActionController
::Session::CookieStore.new(nil,
62 :key => '', :secret => SessionSecret
)
66 def test_raises_argument_error_if_missing_secret
67 assert_raise(ArgumentError
, nil.inspect
) {
68 ActionController
::Session::CookieStore.new(nil,
69 :key => SessionKey
, :secret => nil)
72 assert_raise(ArgumentError
, ''.inspect
) {
73 ActionController
::Session::CookieStore.new(nil,
74 :key => SessionKey
, :secret => '')
78 def test_raises_argument_error_if_secret_is_probably_insecure
79 assert_raise(ArgumentError
, "password".inspect
) {
80 ActionController
::Session::CookieStore.new(nil,
81 :key => SessionKey
, :secret => "password")
84 assert_raise(ArgumentError
, "secret".inspect
) {
85 ActionController
::Session::CookieStore.new(nil,
86 :key => SessionKey
, :secret => "secret")
89 assert_raise(ArgumentError
, "12345678901234567890123456789".inspect
) {
90 ActionController
::Session::CookieStore.new(nil,
91 :key => SessionKey
, :secret => "12345678901234567890123456789")
95 def test_setting_session_value
96 with_test_route_set
do
97 get
'/set_session_value'
98 assert_response
:success
99 assert_equal
"_myapp_session=#{response.body}; path=/; HttpOnly",
100 headers
['Set-Cookie']
104 def test_getting_session_value
105 with_test_route_set
do
106 cookies
[SessionKey
] = SignedBar
107 get
'/get_session_value'
108 assert_response
:success
109 assert_equal
'foo: "bar"', response
.body
113 def test_getting_session_id
114 with_test_route_set
do
115 cookies
[SessionKey
] = SignedBar
116 get
'/persistent_session_id'
117 assert_response
:success
118 assert_equal response
.body
.size
, 32
119 session_id
= response
.body
121 get
'/get_session_id'
122 assert_response
:success
123 assert_equal
"foo: \"bar\"; id: #{session_id}", response
.body
127 def test_disregards_tampered_sessions
128 with_test_route_set
do
129 cookies
[SessionKey
] = "BAh7BjoIZm9vIghiYXI%3D--123456780"
130 get
'/get_session_value'
131 assert_response
:success
132 assert_equal
'foo: nil', response
.body
136 def test_close_raises_when_data_overflows
137 with_test_route_set
do
138 assert_raise(ActionController
::Session::CookieStore::CookieOverflow) {
139 get
'/raise_data_overflow'
144 def test_doesnt_write_session_cookie_if_session_is_not_accessed
145 with_test_route_set
do
146 get
'/no_session_access'
147 assert_response
:success
148 assert_equal
"", headers
['Set-Cookie']
152 def test_doesnt_write_session_cookie_if_session_is_unchanged
153 with_test_route_set
do
154 cookies
[SessionKey
] = "BAh7BjoIZm9vIghiYXI%3D--" +
155 "fef868465920f415f2c0652d6910d3af288a0367"
156 get
'/no_session_access'
157 assert_response
:success
158 assert_equal
"", headers
['Set-Cookie']
162 def test_setting_session_value_after_session_reset
163 with_test_route_set
do
164 get
'/set_session_value'
165 assert_response
:success
166 session_payload
= response
.body
167 assert_equal
"_myapp_session=#{response.body}; path=/; HttpOnly",
168 headers
['Set-Cookie']
170 get
'/call_reset_session'
171 assert_response
:success
172 assert_not_equal
[], headers
['Set-Cookie']
173 assert_not_equal session_payload
, cookies
[SessionKey
]
175 get
'/get_session_value'
176 assert_response
:success
177 assert_equal
'foo: nil', response
.body
181 def test_persistent_session_id
182 with_test_route_set
do
183 cookies
[SessionKey
] = SignedBar
184 get
'/persistent_session_id'
185 assert_response
:success
186 assert_equal response
.body
.size
, 32
187 session_id
= response
.body
188 get
'/persistent_session_id'
189 assert_equal session_id
, response
.body
191 get
'/persistent_session_id'
192 assert_not_equal session_id
, response
.body
196 def test_session_store_with_expire_after
197 app
= ActionController
::Session::CookieStore.new(DispatcherApp
, :key => SessionKey
, :secret => SessionSecret
, :expire_after => 5.hours
)
198 @integration_session = open_session(app
)
200 with_test_route_set
do
201 # First request accesses the session
202 time
= Time
.local(2008, 4, 24)
203 Time
.stubs(:now).returns(time
)
204 expected_expiry
= (time
+ 5.hours
).gmtime
.strftime("%a, %d-%b-%Y %H:%M:%S GMT")
206 cookies
[SessionKey
] = SignedBar
208 get
'/set_session_value'
209 assert_response
:success
211 cookie_body
= response
.body
212 assert_equal
"_myapp_session=#{cookie_body}; path=/; expires=#{expected_expiry}; HttpOnly",
213 headers
['Set-Cookie']
215 # Second request does not access the session
216 time
= Time
.local(2008, 4, 25)
217 Time
.stubs(:now).returns(time
)
218 expected_expiry
= (time
+ 5.hours
).gmtime
.strftime("%a, %d-%b-%Y %H:%M:%S GMT")
220 get
'/no_session_access'
221 assert_response
:success
223 assert_equal
"_myapp_session=#{cookie_body}; path=/; expires=#{expected_expiry}; HttpOnly",
224 headers
['Set-Cookie']
229 def with_test_route_set
230 with_routing
do |set
|
232 map
.with_options
:controller => "cookie_store_test/test" do |c
|