cookie_slasher 0.0.1

data/LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2014 Olek Poplavsky
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,68 @@
+# cookie_slasher
+
+## Synopsis
+
+Rack middleware, removes cookies from responses that are likely to be accidentally cached.
+
+## Audience
+
+Use this gem as an extra layer of protection if your system has any HTTP
+accelerator in front of it, like Varnish. And by the way, Fastly is all
+about Varnish.
+
+## Why?
+
+It is often desirable to create configuration of accelerator that caches 404
+(Page Not Found) and 301 (Permanent Redirect) responses. It is only too
+easy to make a trivial mistake and cache those pages even when there are
+cookies set on them.
+
+### Consequences of not using it
+
+If session cookie is set on a 404 or 301 response (typical), and that
+response is cached by HTTP accelerator, your users will suddengly see
+themself logged in as somebody else, and user session swapping will go
+wild. Then you will spend days or weeks troubleshooting this problem,
+because even reproducing it is a challenge. All while users confidence
+in your system plummets.
+
+### Chances of having 'session swapping' problem
+
+Fairly small, but you are always only one step away from it, and
+consequences are dire.
+
+## Usage
+
+First, add this line to your Gemfile
+
+    gem 'cookie_slasher'
+
+Second, if you have Rails app, add this line to config/application.rb
+
+    config.middleware.insert_before ActionDispatch::Cookies, CookieSlasher
+
+If you have Rack/Sinatra/... app, you just have to 'use' CookieSlasher
+middleware close to the top of your rackup configuration.
+
+Third, test to make sure it actually works for you.
+
+### Logging
+
+CookieSlasher always logs cookies it is removing from response to avoid
+any surprises. If your app is Rails app, it logs to standard rails
+logger. If not, it logs to 'rack.error' stream, or to logger provided in
+configuration. If you feel like complaining that its log is too verbose
+and noisy, read next paragraph.
+
+### Abuse
+
+Relying on it to catch ALL your cookies (especially session cookies) ALL
+the time will work, but is considered to be an abusive behavior.
+CookieSlasher is just a safeguard, it is not intended to be actively
+working all the time removing those cookies from requests. It can do
+that, but that is just bad taste and design. If you see in your
+application log that CookieSlasher is often removing cookies, please do work
+on your application code to make it stop creating them in the first
+place. If you have Rails app, this line of code may come in handy:
+
+    request.session_options[:skip] = true

data/lib/cookie_slasher.rb

@@ -0,0 +1,53 @@
+# encoding: utf-8
+
+# Rack middleware that removes all the cookies from 404 and 301
+# responses, making them safe to be cached by varnish.  Yes, it is a
+# heavy-handed approach, but given how touchy-feely rails session
+# handling is, it seems to be the only way to guarantee that no cookies
+# are present on those cacheable responses.
+
+class CookieSlasher
+  def initialize(app, logger=nil)
+    @app = app
+    @logger = logger
+  end
+
+  def call(env)
+    status, headers, body = @app.call(env)
+
+    case status
+    when 404, 301
+      # removes ALL cookies from the response
+      cookies_header = read_cookies_header(headers)
+
+      if cookies_header
+        log(env, cookies_header)
+        delete_cookies_header(headers)
+      end
+    end
+
+    [status, headers, body]
+  end
+
+  private
+
+  def read_cookies_header(headers)
+    headers['Set-Cookie']
+  end
+
+  def delete_cookies_header(headers)
+    headers.delete 'Set-Cookie'
+  end
+
+  def log(env, cookies_header)
+    path = env['PATH_INFO']
+
+    message = "CookieSlasher: slashing #{cookies_header.inspect} at #{path.inspect}"
+    if !@logger && defined?(Rails)
+      Rails.logger.warn(message)
+    else
+      logger = @logger || env['rack.errors']
+      logger.write('warn ' + message + "\n")
+    end
+  end
+end

metadata

@@ -0,0 +1,50 @@
+--- !ruby/object:Gem::Specification
+name: cookie_slasher
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+  prerelease: 
+platform: ruby
+authors:
+- Olek Poplavsky
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-04-18 00:00:00.000000000 Z
+dependencies: []
+description: Use this gem as an extra layer of protection if your system has any HTTP
+  accelerators in front of it, like varnish.
+email: olek@woodenbits.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/cookie_slasher.rb
+- LICENSE
+- README.md
+homepage: http://github.com/olek/cookie_slasher
+licenses:
+- MIT
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: 1.9.3
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: 1.3.6
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.23
+signing_key: 
+specification_version: 3
+summary: Rack middleware, removes cookies from responses that are likely to be accidentally
+  cached.
+test_files: []