Added support for http_only cookies in cookie_store Added unit tests for...

Added support for http_only cookies in cookie_store Added unit tests for secure and http_only cookies in cookie_store Signed-off-by: N Michael Koziarski <michael@koziarski.com> [#1046 state:committed]

Added support for http_only cookies in cookie_store Added unit tests for...
Added support for http_only cookies in cookie_store Added unit tests for secure and http_only cookies in cookie_store Signed-off-by: N Michael Koziarski <michael@koziarski.com> [#1046 state:committed]
7ecb9689 · Pelle Braendgaard · Michael Koziarski · c47525a5 · 7ecb9689 · 7ecb9689
6 changed file
--- a/actionpack/CHANGELOG
+++ b/actionpack/CHANGELOG
 *Edge*

+* Set HttpOnly for the cookie session store's cookie.  #1046 
+
 * Added FormTagHelper#image_submit_tag confirm option #784 [Alastair Brunton]

 * Fixed FormTagHelper#submit_tag with :disable_with option wouldn't submit the button's value when was clicked #633 [Jose Fernandez]

--- a/actionpack/lib/action_controller/cgi_process.rb
+++ b/actionpack/lib/action_controller/cgi_process.rb
@@ -42,7 +42,8 @@ class SessionFixationAttempt < StandardError #:nodoc:
      :prefix           => "ruby_sess.",    # prefix session file names
      :session_path     => "/",             # available to all paths in app
      :session_key      => "_session_id",
-      :cookie_only      => true
+      :cookie_only      => true,
+      :session_http_only=> true
    }

    def initialize(cgi, session_options = {})

--- a/actionpack/lib/action_controller/rack_process.rb
+++ b/actionpack/lib/action_controller/rack_process.rb
@@ -14,7 +14,8 @@ class SessionFixationAttempt < StandardError #:nodoc:
      :prefix           => "ruby_sess.",    # prefix session file names
      :session_path     => "/",             # available to all paths in app
      :session_key      => "_session_id",
-      :cookie_only      => true
+      :cookie_only      => true,
+      :session_http_only=> true
    }

    def initialize(env, session_options = DEFAULT_SESSION_OPTIONS)

--- a/actionpack/lib/action_controller/session/cookie_store.rb
+++ b/actionpack/lib/action_controller/session/cookie_store.rb
@@ -70,7 +70,8 @@ def initialize(session, options = {})
      'path'    => options['session_path'],
      'domain'  => options['session_domain'],
      'expires' => options['session_expires'],
-      'secure'  => options['session_secure']
+      'secure'  => options['session_secure'],
+      'http_only' => options['session_http_only']
    }

    # Set no_hidden and no_cookies since the session id is unused and we

--- a/actionpack/lib/action_controller/session_management.rb
+++ b/actionpack/lib/action_controller/session_management.rb
@@ -60,6 +60,10 @@ def session_options
      #   # the session will only work over HTTPS, but only for the foo action
      #   session :only => :foo, :session_secure => true
      #
+      #   # the session by default uses HttpOnly sessions for security reasons.
+      #   # this can be switched off.
+      #   session :only => :foo, :session_http_only => false
+      #
      #   # the session will only be disabled for 'foo', and only if it is
      #   # requested as a web service
      #   session :off, :only => :foo,

--- a/actionpack/test/controller/session/cookie_store_test.rb
+++ b/actionpack/test/controller/session/cookie_store_test.rb
@@ -36,7 +36,9 @@ def self.default_session_options
      'session_key' => '_myapp_session',
      'secret' => 'Keep it secret; keep it safe.',
      'no_cookies' => true,
-      'no_hidden' => true }
+      'no_hidden' => true,
+      'session_http_only' => true
+       }
  end

  def self.cookies
@@ -149,6 +151,48 @@ def test_close_marshals_and_writes_cookie
      assert_equal 1, session.cgi.output_cookies.size
      cookie = session.cgi.output_cookies.first
      assert_cookie cookie, cookie_value(:flashed)
+      assert_http_only_cookie cookie
+      assert_secure_cookie cookie, false
+    end
+  end
+
+  def test_writes_non_secure_cookie_by_default
+    set_cookie! cookie_value(:typical)
+    new_session do |session|
+      session['flash'] = {}
+      session.close
+      cookie = session.cgi.output_cookies.first
+      assert_secure_cookie cookie,false
+    end
+  end
+
+  def test_writes_secure_cookie
+    set_cookie! cookie_value(:typical)
+    new_session('session_secure'=>true) do |session|
+      session['flash'] = {}
+      session.close
+      cookie = session.cgi.output_cookies.first
+      assert_secure_cookie cookie
+    end
+  end
+
+  def test_http_only_cookie_by_default
+    set_cookie! cookie_value(:typical)
+    new_session do |session|
+      session['flash'] = {}
+      session.close
+      cookie = session.cgi.output_cookies.first
+      assert_http_only_cookie cookie
+    end
+  end
+
+  def test_overides_http_only_cookie
+    set_cookie! cookie_value(:typical)
+    new_session('session_http_only'=>false) do |session|
+      session['flash'] = {}
+      session.close
+      cookie = session.cgi.output_cookies.first
+      assert_http_only_cookie cookie, false
    end
  end

@@ -195,6 +239,13 @@ def assert_cookie(cookie, value = nil, expires = nil, message = nil)
      assert_equal expires, cookie.expires ? cookie.expires.to_date : cookie.expires, message
    end

+    def assert_secure_cookie(cookie,value=true)
+      assert cookie.secure==value
+    end
+
+    def assert_http_only_cookie(cookie,value=true)
+      assert cookie.http_only==value
+    end

    def cookies(*which)
      self.class.cookies.values_at(*which)