1 require 'abstract_unit'
4 class SessionFixationTest
< Test
::Unit::TestCase
5 class MockCGI
< CGI
#:nodoc:
6 attr_accessor
:stdoutput, :env_table
8 def initialize(env, data = '')
10 self.stdoutput
= StringIO
.new
11 super(nil, StringIO
.new(data))
15 class TestController
< ActionController
::Base
16 session
:session_key => '_myapp_session_id', :secret => CGI
::Session.generate_unique_id
, :except => :default_session_key
17 session
:cookie_only => false, :only => :allow_session_fixation
19 def default_session_key
20 render
:text => "default_session_key"
23 def custom_session_key
24 render
:text => "custom_session_key: #{params[:id]}"
27 def allow_session_fixation
28 render
:text => "allow_session_fixation"
31 def rescue_action(e
) raise end
35 @controller = TestController
.new
38 def test_should_be_able_to_make_a_successful_request
39 cgi
= mock_cgi_for_request_to(:custom_session_key, :id => 1)
41 assert_nothing_raised
do
42 @controller.send(:process, ActionController
::CgiRequest.new(cgi
, {}), ActionController
::CgiResponse.new(cgi
))
44 assert_equal
'custom_session_key: 1', @controller.response
.body
45 assert_not_nil
@controller.session
48 def test_should_catch_session_fixation_attempt
49 cgi
= mock_cgi_for_request_to(:custom_session_key, :_myapp_session_id => 42)
51 assert_raises ActionController
::CgiRequest::SessionFixationAttempt do
52 @controller.send(:process, ActionController
::CgiRequest.new(cgi
, {}), ActionController
::CgiResponse.new(cgi
))
54 assert_nil
@controller.session
57 def test_should_not_catch_session_fixation_attempt_when_cookie_only_setting_is_disabled
58 cgi
= mock_cgi_for_request_to(:allow_session_fixation, :_myapp_session_id => 42)
60 assert_nothing_raised
do
61 @controller.send(:process, ActionController
::CgiRequest.new(cgi
, {}), ActionController
::CgiResponse.new(cgi
))
63 assert
! @controller.response
.body
.blank
?
64 assert_not_nil
@controller.session
67 def test_should_catch_session_fixation_attempt_with_default_session_key
68 ActionController
::Base.session_store
= :p_store # using the default session_key is not possible with cookie store
69 cgi
= mock_cgi_for_request_to(:default_session_key, :_session_id => 42)
71 assert_raises ActionController
::CgiRequest::SessionFixationAttempt do
72 @controller.send(:process, ActionController
::CgiRequest.new(cgi
, {}), ActionController
::CgiResponse.new(cgi
))
74 assert
@controller.response
.body
.blank
?
75 assert_nil
@controller.session
80 def mock_cgi_for_request_to(action
, params
= {})
82 "REQUEST_METHOD" => "GET",
83 "QUERY_STRING" => "action=#{action}&#{params.to_query}",
85 "SERVER_PORT" => "80",
86 "HTTP_HOST" => "testdomain.com" }, '')