cookieless_sessions 1.0.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/.gitignore +25 -0
- data/.rspec +2 -0
- data/.ruby-gemset +1 -0
- data/.ruby-version +1 -0
- data/.travis.yml +6 -0
- data/Gemfile +4 -0
- data/Guardfile +24 -0
- data/LICENSE.txt +22 -0
- data/README.md +102 -0
- data/Rakefile +7 -0
- data/cookieless_sessions.gemspec +31 -0
- data/lib/cookieless_sessions.rb +31 -0
- data/lib/cookieless_sessions/version.rb +3 -0
- data/spec/controllers/cookieless_controller_spec.rb +38 -0
- data/spec/controllers/sub_cookie_controller_from_cookieless_controller_spec.rb +36 -0
- data/spec/cookieless_sessions_spec.rb +4 -0
- data/spec/dummy/README.rdoc +28 -0
- data/spec/dummy/Rakefile +6 -0
- data/spec/dummy/app/assets/images/.keep +0 -0
- data/spec/dummy/app/assets/javascripts/application.js +13 -0
- data/spec/dummy/app/assets/stylesheets/application.css +15 -0
- data/spec/dummy/app/controllers/application_controller.rb +5 -0
- data/spec/dummy/app/controllers/concerns/.keep +0 -0
- data/spec/dummy/app/helpers/application_helper.rb +2 -0
- data/spec/dummy/app/mailers/.keep +0 -0
- data/spec/dummy/app/models/.keep +0 -0
- data/spec/dummy/app/models/concerns/.keep +0 -0
- data/spec/dummy/app/views/layouts/application.html.erb +14 -0
- data/spec/dummy/bin/bundle +3 -0
- data/spec/dummy/bin/rails +4 -0
- data/spec/dummy/bin/rake +4 -0
- data/spec/dummy/config.ru +4 -0
- data/spec/dummy/config/application.rb +30 -0
- data/spec/dummy/config/boot.rb +5 -0
- data/spec/dummy/config/database.yml +25 -0
- data/spec/dummy/config/environment.rb +5 -0
- data/spec/dummy/config/environments/development.rb +37 -0
- data/spec/dummy/config/environments/production.rb +83 -0
- data/spec/dummy/config/environments/test.rb +39 -0
- data/spec/dummy/config/initializers/backtrace_silencers.rb +7 -0
- data/spec/dummy/config/initializers/cookies_serializer.rb +3 -0
- data/spec/dummy/config/initializers/filter_parameter_logging.rb +4 -0
- data/spec/dummy/config/initializers/inflections.rb +16 -0
- data/spec/dummy/config/initializers/mime_types.rb +4 -0
- data/spec/dummy/config/initializers/session_store.rb +13 -0
- data/spec/dummy/config/initializers/wrap_parameters.rb +14 -0
- data/spec/dummy/config/locales/en.yml +23 -0
- data/spec/dummy/config/routes.rb +2 -0
- data/spec/dummy/config/secrets.yml +22 -0
- data/spec/dummy/lib/assets/.keep +0 -0
- data/spec/dummy/public/404.html +67 -0
- data/spec/dummy/public/422.html +67 -0
- data/spec/dummy/public/500.html +66 -0
- data/spec/dummy/public/favicon.ico +0 -0
- data/spec/features/cookieless_spec.rb +69 -0
- data/spec/spec_helper.rb +41 -0
- data/spec/support/cookieless_controller.rb +25 -0
- metadata +295 -0
checksums.yaml
ADDED
@@ -0,0 +1,7 @@
|
|
1
|
+
---
|
2
|
+
SHA1:
|
3
|
+
metadata.gz: bcbba977e6ff02b91577d6dd884eab647310f40a
|
4
|
+
data.tar.gz: 38045f2f7e63afc1a5c953c4fc33a8e432802ef1
|
5
|
+
SHA512:
|
6
|
+
metadata.gz: 3c14c0055fe304a5197a48d96feb8cfa8d8605bc14c977be2985e3b1d679ee3409e9180ea787599ed20f0c050ce3890e43d7ff720b7c01d832833eec2ac6d6a3
|
7
|
+
data.tar.gz: 15bd37dfa92e899864ee7c28037c5cf8cf6617268f26f5344528819ec55cf5eb8dfaae7d13b1dd8756c28591cce003d0c5cdce6c22322dfc9f0c5f912b183b32
|
data/.gitignore
ADDED
@@ -0,0 +1,25 @@
|
|
1
|
+
*.gem
|
2
|
+
*.rbc
|
3
|
+
.bundle
|
4
|
+
.config
|
5
|
+
.yardoc
|
6
|
+
Gemfile.lock
|
7
|
+
InstalledFiles
|
8
|
+
_yardoc
|
9
|
+
coverage
|
10
|
+
doc/
|
11
|
+
lib/bundler/man
|
12
|
+
pkg
|
13
|
+
rdoc
|
14
|
+
spec/reports
|
15
|
+
test/tmp
|
16
|
+
test/version_tmp
|
17
|
+
tmp
|
18
|
+
*.bundle
|
19
|
+
*.so
|
20
|
+
*.o
|
21
|
+
*.a
|
22
|
+
mkmf.log
|
23
|
+
|
24
|
+
spec/dummy/log
|
25
|
+
spec/dummy/db
|
data/.rspec
ADDED
data/.ruby-gemset
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
cookieless_sessions
|
data/.ruby-version
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
ruby-2.1.1
|
data/.travis.yml
ADDED
data/Gemfile
ADDED
data/Guardfile
ADDED
@@ -0,0 +1,24 @@
|
|
1
|
+
# A sample Guardfile
|
2
|
+
# More info at https://github.com/guard/guard#readme
|
3
|
+
|
4
|
+
guard :rspec do
|
5
|
+
watch(%r{^spec/.+_spec\.rb$})
|
6
|
+
watch(%r{^lib/(.+)\.rb$}) { |m| "spec/lib/#{m[1]}_spec.rb" }
|
7
|
+
watch('spec/spec_helper.rb') { "spec" }
|
8
|
+
|
9
|
+
# Rails example
|
10
|
+
watch(%r{^app/(.+)\.rb$}) { |m| "spec/#{m[1]}_spec.rb" }
|
11
|
+
watch(%r{^app/(.*)(\.erb|\.haml|\.slim)$}) { |m| "spec/#{m[1]}#{m[2]}_spec.rb" }
|
12
|
+
watch(%r{^app/controllers/(.+)_(controller)\.rb$}) { |m| ["spec/routing/#{m[1]}_routing_spec.rb", "spec/#{m[2]}s/#{m[1]}_#{m[2]}_spec.rb", "spec/acceptance/#{m[1]}_spec.rb"] }
|
13
|
+
watch(%r{^spec/support/(.+)\.rb$}) { "spec" }
|
14
|
+
watch('config/routes.rb') { "spec/routing" }
|
15
|
+
watch('app/controllers/application_controller.rb') { "spec/controllers" }
|
16
|
+
|
17
|
+
# Capybara features specs
|
18
|
+
watch(%r{^app/views/(.+)/.*\.(erb|haml|slim)$}) { |m| "spec/features/#{m[1]}_spec.rb" }
|
19
|
+
|
20
|
+
# Turnip features and steps
|
21
|
+
watch(%r{^spec/acceptance/(.+)\.feature$})
|
22
|
+
watch(%r{^spec/acceptance/steps/(.+)_steps\.rb$}) { |m| Dir[File.join("**/#{m[1]}.feature")][0] || 'spec/acceptance' }
|
23
|
+
end
|
24
|
+
|
data/LICENSE.txt
ADDED
@@ -0,0 +1,22 @@
|
|
1
|
+
Copyright (c) 2014 Taktsoft GmbH & Co. KG
|
2
|
+
|
3
|
+
MIT License
|
4
|
+
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining
|
6
|
+
a copy of this software and associated documentation files (the
|
7
|
+
"Software"), to deal in the Software without restriction, including
|
8
|
+
without limitation the rights to use, copy, modify, merge, publish,
|
9
|
+
distribute, sublicense, and/or sell copies of the Software, and to
|
10
|
+
permit persons to whom the Software is furnished to do so, subject to
|
11
|
+
the following conditions:
|
12
|
+
|
13
|
+
The above copyright notice and this permission notice shall be
|
14
|
+
included in all copies or substantial portions of the Software.
|
15
|
+
|
16
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
17
|
+
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
18
|
+
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
19
|
+
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
20
|
+
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
21
|
+
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
22
|
+
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
data/README.md
ADDED
@@ -0,0 +1,102 @@
|
|
1
|
+
# CookielessSessions
|
2
|
+
[![Gem Version](https://badge.fury.io/rb/cookieless_sessions.png)](http://badge.fury.io/rb/cookieless_sessions)
|
3
|
+
[![Build Status](https://api.travis-ci.org/taktsoft/cookieless_sessions.png)](https://travis-ci.org/taktsoft/cookieless_sessions)
|
4
|
+
[![Code Climate](https://codeclimate.com/github/taktsoft/cookieless_sessions.png)](https://codeclimate.com/github/taktsoft/cookieless_sessions)
|
5
|
+
|
6
|
+
CookielessSessions implements a fallback mechanism for keeping Session-IDs _(via GET-Parameter)_ on clients that doesn't support or allow cookies.
|
7
|
+
|
8
|
+
By default, the server sends a _Set-Cookie_ header to the client. If the client supports and allows cookies, it will send back this _Cookie_ header back in the next request. If not, then there won't be a _Cookie_ header in the next requests from the client to the server and the server will initiate a new session for the client, in every request. In this case, sessions won't work.
|
9
|
+
|
10
|
+
This is what this gem was built for. There is only one other way to transfer a Session-ID between server and client: via GET-Paramters _(and of course POST-Parameters)_.
|
11
|
+
|
12
|
+
## Implementation
|
13
|
+
|
14
|
+
There isn't any magic in this gem. This gem consists of one module which implements a concern for controllers. The important method in this module is _default_url_options_ and it only adds the _session_key_ with the _session_id_ to the options hash.
|
15
|
+
|
16
|
+
Rails uses the result of _default_url_options_ method for Path / URL generation. Because of that, the _session_key_ and _session_id_ will be added to every Paths and URL generated in _(cookieless_session enabled)_ controllers.
|
17
|
+
|
18
|
+
## Requirements
|
19
|
+
|
20
|
+
An application based on Rails 3.x or 4.x configured with a session storage that supports the _cookie_only: false_ option (e.g. [redis-session-store](https://rubygems.org/gems/redis-session-store)).
|
21
|
+
|
22
|
+
## Installation
|
23
|
+
|
24
|
+
Add this line to your application's Gemfile:
|
25
|
+
|
26
|
+
gem 'cookieless_sessions'
|
27
|
+
|
28
|
+
And then execute:
|
29
|
+
|
30
|
+
$ bundle
|
31
|
+
|
32
|
+
Or install it yourself as:
|
33
|
+
|
34
|
+
$ gem install cookieless_sessions
|
35
|
+
|
36
|
+
## Usage
|
37
|
+
|
38
|
+
First, you need a cookie storage which supports the _cookie_only_ option and turn it off. Rails built in session storages (_cookie_store_ and _active_record_store_) doesn't support this option. That's why you need another cookie_storage. For example: this gem uses _redis_session_store_ from the [redis-session-store](https://rubygems.org/gems/redis-session-store) gem and a [Redis](http://redis.io/) database for its tests.
|
39
|
+
|
40
|
+
Include the module into the controller where you want to enable sessions via GET parameter:
|
41
|
+
|
42
|
+
```ruby
|
43
|
+
class YourController < ApplicationController
|
44
|
+
include CookielessSessions::EnabledController
|
45
|
+
|
46
|
+
# ...
|
47
|
+
end
|
48
|
+
```
|
49
|
+
|
50
|
+
If you want to enable sessions via GET parameter for the whole application, include the module into your _ApplicationController_:
|
51
|
+
|
52
|
+
```ruby
|
53
|
+
class ApplicationController < ActionController::Base
|
54
|
+
include CookielessSessions::EnabledController
|
55
|
+
|
56
|
+
# ...
|
57
|
+
end
|
58
|
+
```
|
59
|
+
|
60
|
+
If you want to disable sessions via GET parameter for a certain controller, you can do this by excepting the _sessions_key_ from the _default_url_options_:
|
61
|
+
|
62
|
+
```ruby
|
63
|
+
class OtherController < ApplicationController
|
64
|
+
def default_url_options
|
65
|
+
super.except(session_key)
|
66
|
+
end
|
67
|
+
end
|
68
|
+
```
|
69
|
+
|
70
|
+
### Hint
|
71
|
+
|
72
|
+
If you want to overwrite _default_url_options_ in one of your controllers that use _cookieless_sessions_ and you want to keep that functionality, you should use _super.dup_ and work on a copy:
|
73
|
+
|
74
|
+
```ruby
|
75
|
+
class AnotherController < ApplicationController
|
76
|
+
def default_url_options
|
77
|
+
options ||= super.dup || {}
|
78
|
+
options[:foo] = :bar
|
79
|
+
return options
|
80
|
+
end
|
81
|
+
end
|
82
|
+
```
|
83
|
+
|
84
|
+
## Security
|
85
|
+
|
86
|
+
There is one security impact: If you copy & paste a URL with your Sessions-ID to a friend and he has cookies disabled _(this won't be happen if he has cookies enabled)_, he will get your session _(e.g. he will be logged in with your account, depends on the application)_.
|
87
|
+
|
88
|
+
Two countermeasure could be to bind sessions to the client's IP-Address and add a session lifetime. For both you can use the [frikandel](https://rubygems.org/gems/frikandel) gem. This should make it harder to steal and fix sessions.
|
89
|
+
|
90
|
+
## Changes
|
91
|
+
|
92
|
+
* v1.0.0 -- first release with complete README; no code changes
|
93
|
+
* v0.0.2 -- improved and more flexible version with tests
|
94
|
+
* v0.0.1 -- initial and work-in-progress version without any tests
|
95
|
+
|
96
|
+
## Contributing
|
97
|
+
|
98
|
+
1. Fork it ( https://github.com/taktsoft/cookieless_sessions/fork )
|
99
|
+
2. Create your feature branch (`git checkout -b my-new-feature`)
|
100
|
+
3. Commit your changes (`git commit -am 'Add some feature'`)
|
101
|
+
4. Push to the branch (`git push origin my-new-feature`)
|
102
|
+
5. Create a new Pull Request
|
data/Rakefile
ADDED
@@ -0,0 +1,31 @@
|
|
1
|
+
# coding: utf-8
|
2
|
+
lib = File.expand_path('../lib', __FILE__)
|
3
|
+
$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
|
4
|
+
require 'cookieless_sessions/version'
|
5
|
+
|
6
|
+
Gem::Specification.new do |spec|
|
7
|
+
spec.name = "cookieless_sessions"
|
8
|
+
spec.version = CookielessSessions::VERSION
|
9
|
+
spec.authors = ["Taktsoft"]
|
10
|
+
spec.email = ["developers@taktsoft.com"]
|
11
|
+
spec.summary = "#{spec.name} implements a fallback mechanism for keeping Session-IDs (via GET-Parameter) on clients that doesn't support or allow cookies."
|
12
|
+
spec.description = spec.summary
|
13
|
+
spec.homepage = "https://github.com/taktsoft/cookieless_sessions"
|
14
|
+
spec.license = "MIT"
|
15
|
+
|
16
|
+
spec.files = `git ls-files -z`.split("\x0")
|
17
|
+
spec.executables = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
|
18
|
+
spec.test_files = spec.files.grep(%r{^(test|spec|features)/})
|
19
|
+
spec.require_paths = ["lib"]
|
20
|
+
|
21
|
+
spec.add_development_dependency "bundler", "~> 1.6"
|
22
|
+
spec.add_development_dependency "rake", "~> 10.3"
|
23
|
+
spec.add_development_dependency "rspec-rails", "~> 2.14"
|
24
|
+
spec.add_development_dependency "guard-rspec", "~> 4.2"
|
25
|
+
spec.add_development_dependency "capybara", "~> 2.2"
|
26
|
+
spec.add_development_dependency "poltergeist", "~> 1.5"
|
27
|
+
spec.add_development_dependency "pry", "~> 0.9"
|
28
|
+
spec.add_development_dependency "rails", [">= 3.0.0", "< 5.0"]
|
29
|
+
spec.add_development_dependency "sqlite3", "~> 1.3"
|
30
|
+
spec.add_development_dependency "redis-session-store", "~> 0.7"
|
31
|
+
end
|
@@ -0,0 +1,31 @@
|
|
1
|
+
require "cookieless_sessions/version"
|
2
|
+
|
3
|
+
module CookielessSessions
|
4
|
+
module EnabledController
|
5
|
+
extend ActiveSupport::Concern
|
6
|
+
|
7
|
+
protected
|
8
|
+
|
9
|
+
def default_url_options
|
10
|
+
options = super.dup || {} # super.dup is very important here!
|
11
|
+
|
12
|
+
if session_id.present?
|
13
|
+
options[session_key] = session_id
|
14
|
+
end
|
15
|
+
|
16
|
+
return options
|
17
|
+
end
|
18
|
+
|
19
|
+
def session_key
|
20
|
+
Rails.application.config.session_options[:key]
|
21
|
+
end
|
22
|
+
|
23
|
+
def session_id
|
24
|
+
request.session_options[:id]
|
25
|
+
end
|
26
|
+
|
27
|
+
def session_is_not_cookie_only?
|
28
|
+
Rails.application.config.session_options[:cookie_only] == false
|
29
|
+
end
|
30
|
+
end
|
31
|
+
end
|
@@ -0,0 +1,38 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
require 'support/cookieless_controller'
|
3
|
+
|
4
|
+
describe CookielessController do
|
5
|
+
|
6
|
+
it "includes default_url_options from superclass" do
|
7
|
+
ApplicationController.send(:define_method, :default_url_options, -> {
|
8
|
+
{ application_controller_option: 1337 }
|
9
|
+
})
|
10
|
+
|
11
|
+
controller.send(:default_url_options).should include(:application_controller_option)
|
12
|
+
end
|
13
|
+
|
14
|
+
it "includes session_key in default_url_options" do
|
15
|
+
controller.send(:default_url_options).should include(rails_app_session_key)
|
16
|
+
end
|
17
|
+
|
18
|
+
it "doesn't include session_key in default_url_options if session_id isn't present" do
|
19
|
+
controller.stub(:session_id).and_return(nil)
|
20
|
+
|
21
|
+
controller.send(:default_url_options).should_not include(rails_app_session_key)
|
22
|
+
end
|
23
|
+
|
24
|
+
it "generates pathes with session_key=session_id in params" do
|
25
|
+
controller.stub(:session_key).and_return('some_session_key')
|
26
|
+
controller.stub(:session_id).and_return('some_session_id')
|
27
|
+
|
28
|
+
controller.root_path.should include("some_session_key=some_session_id")
|
29
|
+
end
|
30
|
+
|
31
|
+
it "generates urls with session_key=session_id in params" do
|
32
|
+
controller.stub(:session_key).and_return('some_session_key')
|
33
|
+
controller.stub(:session_id).and_return('some_session_id')
|
34
|
+
|
35
|
+
controller.redirect_to_root_url.should include("some_session_key=some_session_id")
|
36
|
+
end
|
37
|
+
|
38
|
+
end
|
@@ -0,0 +1,36 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
require 'support/cookieless_controller'
|
3
|
+
|
4
|
+
|
5
|
+
class SubCookieController < CookielessController
|
6
|
+
|
7
|
+
def index
|
8
|
+
render text: "SubCookieController#Index"
|
9
|
+
end
|
10
|
+
|
11
|
+
protected
|
12
|
+
|
13
|
+
def default_url_options
|
14
|
+
super.except(session_key)
|
15
|
+
end
|
16
|
+
end
|
17
|
+
|
18
|
+
|
19
|
+
describe SubCookieController do
|
20
|
+
|
21
|
+
it "doesn't include session_key in default_url_options" do
|
22
|
+
controller.stub(:session_key).and_return('some_session_key')
|
23
|
+
controller.stub(:session_id).and_return('some_session_id')
|
24
|
+
|
25
|
+
controller.send(:default_url_options).should_not include('some_session_key')
|
26
|
+
end
|
27
|
+
|
28
|
+
it "doesn't include session_key=session_id in generated path or url" do
|
29
|
+
controller.stub(:session_key).and_return('some_session_key')
|
30
|
+
controller.stub(:session_id).and_return('some_session_id')
|
31
|
+
|
32
|
+
controller.root_path.should_not include("some_session_key=some_session_id")
|
33
|
+
controller.root_url.should_not include("some_session_key=some_session_id")
|
34
|
+
end
|
35
|
+
|
36
|
+
end
|
@@ -0,0 +1,28 @@
|
|
1
|
+
== README
|
2
|
+
|
3
|
+
This README would normally document whatever steps are necessary to get the
|
4
|
+
application up and running.
|
5
|
+
|
6
|
+
Things you may want to cover:
|
7
|
+
|
8
|
+
* Ruby version
|
9
|
+
|
10
|
+
* System dependencies
|
11
|
+
|
12
|
+
* Configuration
|
13
|
+
|
14
|
+
* Database creation
|
15
|
+
|
16
|
+
* Database initialization
|
17
|
+
|
18
|
+
* How to run the test suite
|
19
|
+
|
20
|
+
* Services (job queues, cache servers, search engines, etc.)
|
21
|
+
|
22
|
+
* Deployment instructions
|
23
|
+
|
24
|
+
* ...
|
25
|
+
|
26
|
+
|
27
|
+
Please feel free to use a different markup language if you do not plan to run
|
28
|
+
<tt>rake doc:app</tt>.
|
data/spec/dummy/Rakefile
ADDED
File without changes
|
@@ -0,0 +1,13 @@
|
|
1
|
+
// This is a manifest file that'll be compiled into application.js, which will include all the files
|
2
|
+
// listed below.
|
3
|
+
//
|
4
|
+
// Any JavaScript/Coffee file within this directory, lib/assets/javascripts, vendor/assets/javascripts,
|
5
|
+
// or vendor/assets/javascripts of plugins, if any, can be referenced here using a relative path.
|
6
|
+
//
|
7
|
+
// It's not advisable to add code directly here, but if you do, it'll appear at the bottom of the
|
8
|
+
// compiled file.
|
9
|
+
//
|
10
|
+
// Read Sprockets README (https://github.com/sstephenson/sprockets#sprockets-directives) for details
|
11
|
+
// about supported directives.
|
12
|
+
//
|
13
|
+
//= require_tree .
|
@@ -0,0 +1,15 @@
|
|
1
|
+
/*
|
2
|
+
* This is a manifest file that'll be compiled into application.css, which will include all the files
|
3
|
+
* listed below.
|
4
|
+
*
|
5
|
+
* Any CSS and SCSS file within this directory, lib/assets/stylesheets, vendor/assets/stylesheets,
|
6
|
+
* or vendor/assets/stylesheets of plugins, if any, can be referenced here using a relative path.
|
7
|
+
*
|
8
|
+
* You're free to add application-wide styles to this file and they'll appear at the bottom of the
|
9
|
+
* compiled file so the styles you add here take precedence over styles defined in any styles
|
10
|
+
* defined in the other CSS/SCSS files in this directory. It is generally better to create a new
|
11
|
+
* file per style scope.
|
12
|
+
*
|
13
|
+
*= require_tree .
|
14
|
+
*= require_self
|
15
|
+
*/
|