cookieless_sessions 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: bcbba977e6ff02b91577d6dd884eab647310f40a
+  data.tar.gz: 38045f2f7e63afc1a5c953c4fc33a8e432802ef1
+SHA512:
+  metadata.gz: 3c14c0055fe304a5197a48d96feb8cfa8d8605bc14c977be2985e3b1d679ee3409e9180ea787599ed20f0c050ce3890e43d7ff720b7c01d832833eec2ac6d6a3
+  data.tar.gz: 15bd37dfa92e899864ee7c28037c5cf8cf6617268f26f5344528819ec55cf5eb8dfaae7d13b1dd8756c28591cce003d0c5cdce6c22322dfc9f0c5f912b183b32

data/.gitignore

@@ -0,0 +1,25 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp
+*.bundle
+*.so
+*.o
+*.a
+mkmf.log
+
+spec/dummy/log
+spec/dummy/db

data/.rspec

@@ -0,0 +1,2 @@
+--color
+--format progress

data/.ruby-gemset

@@ -0,0 +1 @@
+cookieless_sessions

data/.ruby-version

@@ -0,0 +1 @@
+ruby-2.1.1

data/.travis.yml

@@ -0,0 +1,6 @@
+language: ruby
+rvm:
+  - 1.9.3
+  - 2.0.0
+  - 2.1.0
+  - 2.1.1

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in cookieless_sessions.gemspec
+gemspec

data/Guardfile

@@ -0,0 +1,24 @@
+# A sample Guardfile
+# More info at https://github.com/guard/guard#readme
+
+guard :rspec do
+  watch(%r{^spec/.+_spec\.rb$})
+  watch(%r{^lib/(.+)\.rb$})     { |m| "spec/lib/#{m[1]}_spec.rb" }
+  watch('spec/spec_helper.rb')  { "spec" }
+
+  # Rails example
+  watch(%r{^app/(.+)\.rb$})                           { |m| "spec/#{m[1]}_spec.rb" }
+  watch(%r{^app/(.*)(\.erb|\.haml|\.slim)$})          { |m| "spec/#{m[1]}#{m[2]}_spec.rb" }
+  watch(%r{^app/controllers/(.+)_(controller)\.rb$})  { |m| ["spec/routing/#{m[1]}_routing_spec.rb", "spec/#{m[2]}s/#{m[1]}_#{m[2]}_spec.rb", "spec/acceptance/#{m[1]}_spec.rb"] }
+  watch(%r{^spec/support/(.+)\.rb$})                  { "spec" }
+  watch('config/routes.rb')                           { "spec/routing" }
+  watch('app/controllers/application_controller.rb')  { "spec/controllers" }
+
+  # Capybara features specs
+  watch(%r{^app/views/(.+)/.*\.(erb|haml|slim)$})     { |m| "spec/features/#{m[1]}_spec.rb" }
+
+  # Turnip features and steps
+  watch(%r{^spec/acceptance/(.+)\.feature$})
+  watch(%r{^spec/acceptance/steps/(.+)_steps\.rb$})   { |m| Dir[File.join("**/#{m[1]}.feature")][0] || 'spec/acceptance' }
+end
+

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2014 Taktsoft GmbH & Co. KG
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,102 @@
+# CookielessSessions
+[![Gem Version](https://badge.fury.io/rb/cookieless_sessions.png)](http://badge.fury.io/rb/cookieless_sessions) 
+[![Build Status](https://api.travis-ci.org/taktsoft/cookieless_sessions.png)](https://travis-ci.org/taktsoft/cookieless_sessions)
+[![Code Climate](https://codeclimate.com/github/taktsoft/cookieless_sessions.png)](https://codeclimate.com/github/taktsoft/cookieless_sessions)
+
+CookielessSessions implements a fallback mechanism for keeping Session-IDs _(via GET-Parameter)_ on clients that doesn't support or allow cookies.
+
+By default, the server sends a _Set-Cookie_ header to the client. If the client supports and allows cookies, it will send back this _Cookie_ header back in the next request. If not, then there won't be a _Cookie_ header in the next requests from the client to the server and the server will initiate a new session for the client, in every request. In this case, sessions won't work.
+
+This is what this gem was built for. There is only one other way to transfer a Session-ID between server and client: via GET-Paramters _(and of course POST-Parameters)_.
+
+## Implementation
+
+There isn't any magic in this gem. This gem consists of one module which implements a concern for controllers. The important method in this module is _default_url_options_ and it only adds the _session_key_ with the _session_id_ to the options hash.
+
+Rails uses the result of _default_url_options_ method for Path / URL generation. Because of that, the _session_key_ and _session_id_ will be added to every Paths and URL generated in _(cookieless_session enabled)_ controllers.
+
+## Requirements
+
+An application based on Rails 3.x or 4.x configured with a session storage that supports the _cookie_only: false_ option (e.g. [redis-session-store](https://rubygems.org/gems/redis-session-store)).
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'cookieless_sessions'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install cookieless_sessions
+
+## Usage
+
+First, you need a cookie storage which supports the _cookie_only_ option and turn it off. Rails built in session storages (_cookie_store_ and _active_record_store_) doesn't support this option. That's why you need another cookie_storage. For example: this gem uses _redis_session_store_ from the [redis-session-store](https://rubygems.org/gems/redis-session-store) gem and a [Redis](http://redis.io/) database for its tests.
+
+Include the module into the controller where you want to enable sessions via GET parameter:
+
+```ruby
+    class YourController < ApplicationController
+        include CookielessSessions::EnabledController
+
+        # ...
+    end
+```
+
+If you want to enable sessions via GET parameter for the whole application, include the module into your _ApplicationController_:
+
+```ruby
+    class ApplicationController < ActionController::Base
+        include CookielessSessions::EnabledController
+
+        # ...
+    end
+```
+
+If you want to disable sessions via GET parameter for a certain controller, you can do this by excepting the _sessions_key_ from the _default_url_options_:
+
+```ruby
+    class OtherController < ApplicationController
+        def default_url_options
+            super.except(session_key)
+        end
+    end
+```
+
+### Hint
+
+If you want to overwrite _default_url_options_ in one of your controllers that use _cookieless_sessions_ and you want to keep that functionality, you should use _super.dup_ and work on a copy:
+
+```ruby
+    class AnotherController < ApplicationController
+        def default_url_options
+            options ||= super.dup || {}
+            options[:foo] = :bar
+            return options
+        end
+    end
+```
+
+## Security
+
+There is one security impact: If you copy & paste a URL with your Sessions-ID to a friend and he has cookies disabled _(this won't be happen if he has cookies enabled)_, he will get your session _(e.g. he will be logged in with your account, depends on the application)_.
+
+Two countermeasure could be to bind sessions to the client's IP-Address and add a session lifetime. For both you can use the [frikandel](https://rubygems.org/gems/frikandel) gem. This should make it harder to steal and fix sessions.
+
+## Changes
+
+* v1.0.0 -- first release with complete README; no code changes
+* v0.0.2 -- improved and more flexible version with tests
+* v0.0.1 -- initial and work-in-progress version without any tests
+
+## Contributing
+
+1. Fork it ( https://github.com/taktsoft/cookieless_sessions/fork )
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create a new Pull Request

data/Rakefile

@@ -0,0 +1,7 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new("spec")
+
+# If you want to make this the default task
+task :default => :spec

data/cookieless_sessions.gemspec

@@ -0,0 +1,31 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'cookieless_sessions/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "cookieless_sessions"
+  spec.version       = CookielessSessions::VERSION
+  spec.authors       = ["Taktsoft"]
+  spec.email         = ["developers@taktsoft.com"]
+  spec.summary       = "#{spec.name} implements a fallback mechanism for keeping Session-IDs (via GET-Parameter) on clients that doesn't support or allow cookies."
+  spec.description   = spec.summary
+  spec.homepage      = "https://github.com/taktsoft/cookieless_sessions"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files -z`.split("\x0")
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "bundler", "~> 1.6"
+  spec.add_development_dependency "rake", "~> 10.3"
+  spec.add_development_dependency "rspec-rails", "~> 2.14"
+  spec.add_development_dependency "guard-rspec", "~> 4.2"
+  spec.add_development_dependency "capybara", "~> 2.2"
+  spec.add_development_dependency "poltergeist", "~> 1.5"
+  spec.add_development_dependency "pry", "~> 0.9"
+  spec.add_development_dependency "rails", [">= 3.0.0", "< 5.0"]
+  spec.add_development_dependency "sqlite3", "~> 1.3"
+  spec.add_development_dependency "redis-session-store", "~> 0.7"
+end

data/lib/cookieless_sessions.rb

@@ -0,0 +1,31 @@
+require "cookieless_sessions/version"
+
+module CookielessSessions
+  module EnabledController
+    extend ActiveSupport::Concern
+
+  protected
+
+    def default_url_options
+      options = super.dup || {} # super.dup is very important here!
+
+      if session_id.present?
+        options[session_key] = session_id
+      end
+
+      return options
+    end
+
+    def session_key
+      Rails.application.config.session_options[:key]
+    end
+
+    def session_id
+      request.session_options[:id]
+    end
+
+    def session_is_not_cookie_only?
+      Rails.application.config.session_options[:cookie_only] == false
+    end
+  end
+end

data/lib/cookieless_sessions/version.rb

@@ -0,0 +1,3 @@
+module CookielessSessions
+  VERSION = "1.0.0"
+end

data/spec/controllers/cookieless_controller_spec.rb

@@ -0,0 +1,38 @@
+require 'spec_helper'
+require 'support/cookieless_controller'
+
+describe CookielessController do
+
+  it "includes default_url_options from superclass" do
+    ApplicationController.send(:define_method, :default_url_options, -> {
+        { application_controller_option: 1337 }
+      })
+
+    controller.send(:default_url_options).should include(:application_controller_option)
+  end
+
+  it "includes session_key in default_url_options" do
+    controller.send(:default_url_options).should include(rails_app_session_key)
+  end
+
+  it "doesn't include session_key in default_url_options if session_id isn't present" do
+    controller.stub(:session_id).and_return(nil)
+
+    controller.send(:default_url_options).should_not include(rails_app_session_key)
+  end
+
+  it "generates pathes with session_key=session_id in params" do
+    controller.stub(:session_key).and_return('some_session_key')
+    controller.stub(:session_id).and_return('some_session_id')
+
+    controller.root_path.should include("some_session_key=some_session_id")
+  end
+
+  it "generates urls with session_key=session_id in params" do
+    controller.stub(:session_key).and_return('some_session_key')
+    controller.stub(:session_id).and_return('some_session_id')
+
+    controller.redirect_to_root_url.should include("some_session_key=some_session_id")
+  end
+
+end

data/spec/controllers/sub_cookie_controller_from_cookieless_controller_spec.rb

@@ -0,0 +1,36 @@
+require 'spec_helper'
+require 'support/cookieless_controller'
+
+
+class SubCookieController < CookielessController
+
+  def index
+    render text: "SubCookieController#Index"
+  end
+
+protected
+
+  def default_url_options
+    super.except(session_key)
+  end
+end
+
+
+describe SubCookieController do
+
+  it "doesn't include session_key in default_url_options" do
+    controller.stub(:session_key).and_return('some_session_key')
+    controller.stub(:session_id).and_return('some_session_id')
+
+    controller.send(:default_url_options).should_not include('some_session_key')
+  end
+
+  it "doesn't include session_key=session_id in generated path or url" do
+    controller.stub(:session_key).and_return('some_session_key')
+    controller.stub(:session_id).and_return('some_session_id')
+
+    controller.root_path.should_not include("some_session_key=some_session_id")
+    controller.root_url.should_not include("some_session_key=some_session_id")
+  end
+
+end

data/spec/cookieless_sessions_spec.rb

@@ -0,0 +1,4 @@
+require 'spec_helper'
+
+describe CookielessSessions do
+end

data/spec/dummy/README.rdoc

@@ -0,0 +1,28 @@
+== README
+
+This README would normally document whatever steps are necessary to get the
+application up and running.
+
+Things you may want to cover:
+
+* Ruby version
+
+* System dependencies
+
+* Configuration
+
+* Database creation
+
+* Database initialization
+
+* How to run the test suite
+
+* Services (job queues, cache servers, search engines, etc.)
+
+* Deployment instructions
+
+* ...
+
+
+Please feel free to use a different markup language if you do not plan to run
+<tt>rake doc:app</tt>.

data/spec/dummy/Rakefile

@@ -0,0 +1,6 @@
+# Add your own tasks in files placed in lib/tasks ending in .rake,
+# for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
+
+require File.expand_path('../config/application', __FILE__)
+
+Rails.application.load_tasks

data/spec/dummy/app/assets/javascripts/application.js

@@ -0,0 +1,13 @@
+// This is a manifest file that'll be compiled into application.js, which will include all the files
+// listed below.
+//
+// Any JavaScript/Coffee file within this directory, lib/assets/javascripts, vendor/assets/javascripts,
+// or vendor/assets/javascripts of plugins, if any, can be referenced here using a relative path.
+//
+// It's not advisable to add code directly here, but if you do, it'll appear at the bottom of the
+// compiled file.
+//
+// Read Sprockets README (https://github.com/sstephenson/sprockets#sprockets-directives) for details
+// about supported directives.
+//
+//= require_tree .

data/spec/dummy/app/assets/stylesheets/application.css

@@ -0,0 +1,15 @@
+/*
+ * This is a manifest file that'll be compiled into application.css, which will include all the files
+ * listed below.
+ *
+ * Any CSS and SCSS file within this directory, lib/assets/stylesheets, vendor/assets/stylesheets,
+ * or vendor/assets/stylesheets of plugins, if any, can be referenced here using a relative path.
+ *
+ * You're free to add application-wide styles to this file and they'll appear at the bottom of the
+ * compiled file so the styles you add here take precedence over styles defined in any styles
+ * defined in the other CSS/SCSS files in this directory. It is generally better to create a new
+ * file per style scope.
+ *
+ *= require_tree .
+ *= require_self
+ */