cookieless_sessions 1.0.0 → 1.0.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.gitignore +4 -7
- data/.travis.yml +16 -4
- data/Gemfile.rails-3.2.x +6 -0
- data/Gemfile.rails-4.0.x +6 -0
- data/Gemfile.rails-4.1.x +6 -0
- data/Gemfile.rails-head +6 -0
- data/README.md +9 -0
- data/cookieless_sessions.gemspec +4 -3
- data/lib/cookieless_sessions.rb +1 -0
- data/lib/cookieless_sessions/rails_32_patch.rb +18 -0
- data/lib/cookieless_sessions/version.rb +1 -1
- data/spec/dummy/config/environments/development.rb +1 -1
- data/spec/dummy/config/environments/production.rb +1 -1
- data/spec/dummy/config/environments/test.rb +1 -1
- data/spec/dummy/config/initializers/secret_token.rb +12 -0
- data/spec/features/cookieless_spec.rb +13 -1
- data/spec/support/cookieless_controller.rb +8 -1
- metadata +29 -12
- data/.ruby-gemset +0 -1
- data/.ruby-version +0 -1
- data/spec/dummy/config/secrets.yml +0 -22
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 9be96a253a2a981bc0a4e8a251958f0b3a566187
|
4
|
+
data.tar.gz: fe0c0bd04483b7bef37ba52dd36a1be6bb01a5c6
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 33b9090e3083f82fa21ef0917be80c3a375360a908b972d8ba0170b642721a363fc8afd53d0c1eab356104eb6a77a0907777c5097b2f6e362654ce4c62de4d9f
|
7
|
+
data.tar.gz: 649e6a656a8392a97f9822dee205c64b088f208aa6e3757663378f10066171c1c9978dc786ce9591cfce99a3786f7026e64fe6f799c406b1f615f2e668da0a38
|
data/.gitignore
CHANGED
@@ -3,7 +3,7 @@
|
|
3
3
|
.bundle
|
4
4
|
.config
|
5
5
|
.yardoc
|
6
|
-
Gemfile
|
6
|
+
Gemfile*.lock
|
7
7
|
InstalledFiles
|
8
8
|
_yardoc
|
9
9
|
coverage
|
@@ -15,11 +15,8 @@ spec/reports
|
|
15
15
|
test/tmp
|
16
16
|
test/version_tmp
|
17
17
|
tmp
|
18
|
-
*.bundle
|
19
|
-
*.so
|
20
|
-
*.o
|
21
|
-
*.a
|
22
|
-
mkmf.log
|
23
18
|
|
19
|
+
spec/dummy/db
|
24
20
|
spec/dummy/log
|
25
|
-
|
21
|
+
.ruby-gemset
|
22
|
+
.ruby-version
|
data/.travis.yml
CHANGED
@@ -1,6 +1,18 @@
|
|
1
1
|
language: ruby
|
2
2
|
rvm:
|
3
|
-
- 1.9.3
|
4
|
-
- 2.0.0
|
5
|
-
- 2.1.0
|
6
|
-
- 2.1.1
|
3
|
+
- '1.9.3'
|
4
|
+
- '2.0.0'
|
5
|
+
- '2.1.0'
|
6
|
+
- '2.1.1'
|
7
|
+
- ruby-head
|
8
|
+
services:
|
9
|
+
- redis-server
|
10
|
+
gemfile:
|
11
|
+
- Gemfile.rails-3.2.x
|
12
|
+
- Gemfile.rails-4.0.x
|
13
|
+
- Gemfile.rails-4.1.x
|
14
|
+
- Gemfile.rails-head
|
15
|
+
matrix:
|
16
|
+
allow_failures:
|
17
|
+
- rvm: ruby-head
|
18
|
+
- gemfile: Gemfile.rails-head
|
data/Gemfile.rails-3.2.x
ADDED
data/Gemfile.rails-4.0.x
ADDED
data/Gemfile.rails-4.1.x
ADDED
data/Gemfile.rails-head
ADDED
data/README.md
CHANGED
@@ -87,8 +87,17 @@ There is one security impact: If you copy & paste a URL with your Sessions-ID to
|
|
87
87
|
|
88
88
|
Two countermeasure could be to bind sessions to the client's IP-Address and add a session lifetime. For both you can use the [frikandel](https://rubygems.org/gems/frikandel) gem. This should make it harder to steal and fix sessions.
|
89
89
|
|
90
|
+
## Test
|
91
|
+
|
92
|
+
To run the test suite with different rails version by selecting the corresponding gemfile. You can use this one liners:
|
93
|
+
|
94
|
+
$ export BUNDLE_GEMFILE=Gemfile.rails-3.2.x && bundle update && bundle exec rake spec
|
95
|
+
$ export BUNDLE_GEMFILE=Gemfile.rails-4.0.x && bundle update && bundle exec rake spec
|
96
|
+
$ export BUNDLE_GEMFILE=Gemfile.rails-4.1.x && bundle update && bundle exec rake spec
|
97
|
+
|
90
98
|
## Changes
|
91
99
|
|
100
|
+
* v1.0.1 -- added Rails32DestroyableSessionPatch: sets SID in options on destroy
|
92
101
|
* v1.0.0 -- first release with complete README; no code changes
|
93
102
|
* v0.0.2 -- improved and more flexible version with tests
|
94
103
|
* v0.0.1 -- initial and work-in-progress version without any tests
|
data/cookieless_sessions.gemspec
CHANGED
@@ -18,14 +18,15 @@ Gem::Specification.new do |spec|
|
|
18
18
|
spec.test_files = spec.files.grep(%r{^(test|spec|features)/})
|
19
19
|
spec.require_paths = ["lib"]
|
20
20
|
|
21
|
-
spec.add_development_dependency "bundler", "~> 1.
|
22
|
-
spec.add_development_dependency "rake", "~> 10.
|
21
|
+
spec.add_development_dependency "bundler", "~> 1.5"
|
22
|
+
spec.add_development_dependency "rake", "~> 10.0"
|
23
23
|
spec.add_development_dependency "rspec-rails", "~> 2.14"
|
24
24
|
spec.add_development_dependency "guard-rspec", "~> 4.2"
|
25
25
|
spec.add_development_dependency "capybara", "~> 2.2"
|
26
|
+
spec.add_development_dependency "launchy", "~> 2.4"
|
26
27
|
spec.add_development_dependency "poltergeist", "~> 1.5"
|
27
28
|
spec.add_development_dependency "pry", "~> 0.9"
|
28
|
-
spec.add_development_dependency "rails", [">= 3.
|
29
|
+
spec.add_development_dependency "rails", [">= 3.2.0", "< 5.0"]
|
29
30
|
spec.add_development_dependency "sqlite3", "~> 1.3"
|
30
31
|
spec.add_development_dependency "redis-session-store", "~> 0.7"
|
31
32
|
end
|
data/lib/cookieless_sessions.rb
CHANGED
@@ -0,0 +1,18 @@
|
|
1
|
+
module CookielessSessions
|
2
|
+
module Rails32DestroyableSessionPatch
|
3
|
+
def destroy
|
4
|
+
clear
|
5
|
+
options = @env[Rack::Session::Abstract::ENV_SESSION_OPTIONS_KEY] if @env
|
6
|
+
options ||= {}
|
7
|
+
options[:id] = @by.send(:destroy_session, @env, options[:id], options) if @by
|
8
|
+
@loaded = false
|
9
|
+
end
|
10
|
+
end
|
11
|
+
|
12
|
+
|
13
|
+
if Rails::VERSION::MAJOR == 3 && Rails::VERSION::MINOR == 2
|
14
|
+
ActiveSupport.on_load(:action_controller) do
|
15
|
+
::Rack::Session::Abstract::SessionHash.send(:include, Rails32DestroyableSessionPatch)
|
16
|
+
end
|
17
|
+
end
|
18
|
+
end
|
@@ -0,0 +1,12 @@
|
|
1
|
+
# Be sure to restart your server when you modify this file.
|
2
|
+
|
3
|
+
# Your secret key is used for verifying the integrity of signed cookies.
|
4
|
+
# If you change this key, all old signed cookies will become invalid!
|
5
|
+
|
6
|
+
# Make sure the secret is at least 30 characters and all random,
|
7
|
+
# no regular words or you'll be exposed to dictionary attacks.
|
8
|
+
# You can use `rake secret` to generate a secure secret key.
|
9
|
+
|
10
|
+
# Make sure your secret_key_base is kept private
|
11
|
+
# if you're sharing your code publicly.
|
12
|
+
Dummy::Application.config.secret_key_base = 'd5d118e8498b66b90fbce607ed69a9b8ca70689e8583c9cfd2b7996fa74ac8a39c9dac57098f39be071ed9edbefbdee0a72d4024f40aa5d4d882a6886c1cc5fa'
|
@@ -17,6 +17,7 @@ describe 'Cookieless', js: true do
|
|
17
17
|
visit root_path # visit first time to get a valid session_id
|
18
18
|
|
19
19
|
session_id = extract_session_id_from_headers(page.response_headers)
|
20
|
+
session_id.should be_present
|
20
21
|
|
21
22
|
page.should have_content("'#{session_id}'")
|
22
23
|
|
@@ -29,10 +30,19 @@ describe 'Cookieless', js: true do
|
|
29
30
|
|
30
31
|
page.should have_content("'#{session_id}'")
|
31
32
|
end
|
33
|
+
|
34
|
+
it "returns a session_id with reset_session before" do
|
35
|
+
visit reset_root_path
|
36
|
+
|
37
|
+
session_id = extract_session_id_from_headers(page.response_headers)
|
38
|
+
session_id.should be_present
|
39
|
+
|
40
|
+
page.should have_content("'#{session_id}'")
|
41
|
+
end
|
32
42
|
end
|
33
43
|
|
34
44
|
|
35
|
-
context "with cookies
|
45
|
+
context "with cookies enabled" do
|
36
46
|
before(:each) do
|
37
47
|
Capybara.current_session.driver.cookies_enabled = true
|
38
48
|
end
|
@@ -45,6 +55,7 @@ describe 'Cookieless', js: true do
|
|
45
55
|
visit root_path # visit first time to get a valid session_id.
|
46
56
|
|
47
57
|
session_id = extract_session_id_from_headers(page.response_headers)
|
58
|
+
session_id.should be_present
|
48
59
|
|
49
60
|
page.should have_content("'#{session_id}'")
|
50
61
|
|
@@ -55,6 +66,7 @@ describe 'Cookieless', js: true do
|
|
55
66
|
visit root_path # visit again with fresh session to get a new session_id.
|
56
67
|
|
57
68
|
other_session_id = extract_session_id_from_headers(page.response_headers)
|
69
|
+
other_session_id.should be_present
|
58
70
|
|
59
71
|
page.should have_content("'#{other_session_id}'")
|
60
72
|
|
@@ -1,5 +1,6 @@
|
|
1
1
|
Rails.application.routes.draw do
|
2
2
|
get "/cookieless" => "cookieless#index", as: :root
|
3
|
+
get "/cookieless/reset" => "cookieless#reset_index", as: :reset_root
|
3
4
|
get "/cookieless/redirect" => "cookieless#redirect_to_root", as: :redirect_to_root
|
4
5
|
end
|
5
6
|
|
@@ -16,7 +17,13 @@ class CookielessController < ApplicationController
|
|
16
17
|
def index
|
17
18
|
session[:useless] = :content
|
18
19
|
|
19
|
-
render text: "CookielessController#Index\r\nSession-Key: '#{session_key}'\r\nSession-ID: '#{session_id}'\r\n"
|
20
|
+
render text: "CookielessController#Index\r\nSession-Key: '#{session_key}'\r\nSession-ID: '#{session_id}'\r\nRails-Version: '#{Rails.version}'\r\n"
|
21
|
+
end
|
22
|
+
|
23
|
+
def reset_index
|
24
|
+
reset_session
|
25
|
+
|
26
|
+
render text: "CookielessController#Index\r\nSession-Key: '#{session_key}'\r\nSession-ID: '#{session_id}'\r\nRails-Version: '#{Rails.version}'\r\n"
|
20
27
|
end
|
21
28
|
|
22
29
|
def redirect_to_root
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: cookieless_sessions
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.0.
|
4
|
+
version: 1.0.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Taktsoft
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2014-
|
11
|
+
date: 2014-05-05 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: bundler
|
@@ -16,28 +16,28 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - "~>"
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: '1.
|
19
|
+
version: '1.5'
|
20
20
|
type: :development
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - "~>"
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: '1.
|
26
|
+
version: '1.5'
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: rake
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
30
30
|
requirements:
|
31
31
|
- - "~>"
|
32
32
|
- !ruby/object:Gem::Version
|
33
|
-
version: '10.
|
33
|
+
version: '10.0'
|
34
34
|
type: :development
|
35
35
|
prerelease: false
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
37
37
|
requirements:
|
38
38
|
- - "~>"
|
39
39
|
- !ruby/object:Gem::Version
|
40
|
-
version: '10.
|
40
|
+
version: '10.0'
|
41
41
|
- !ruby/object:Gem::Dependency
|
42
42
|
name: rspec-rails
|
43
43
|
requirement: !ruby/object:Gem::Requirement
|
@@ -80,6 +80,20 @@ dependencies:
|
|
80
80
|
- - "~>"
|
81
81
|
- !ruby/object:Gem::Version
|
82
82
|
version: '2.2'
|
83
|
+
- !ruby/object:Gem::Dependency
|
84
|
+
name: launchy
|
85
|
+
requirement: !ruby/object:Gem::Requirement
|
86
|
+
requirements:
|
87
|
+
- - "~>"
|
88
|
+
- !ruby/object:Gem::Version
|
89
|
+
version: '2.4'
|
90
|
+
type: :development
|
91
|
+
prerelease: false
|
92
|
+
version_requirements: !ruby/object:Gem::Requirement
|
93
|
+
requirements:
|
94
|
+
- - "~>"
|
95
|
+
- !ruby/object:Gem::Version
|
96
|
+
version: '2.4'
|
83
97
|
- !ruby/object:Gem::Dependency
|
84
98
|
name: poltergeist
|
85
99
|
requirement: !ruby/object:Gem::Requirement
|
@@ -114,7 +128,7 @@ dependencies:
|
|
114
128
|
requirements:
|
115
129
|
- - ">="
|
116
130
|
- !ruby/object:Gem::Version
|
117
|
-
version: 3.
|
131
|
+
version: 3.2.0
|
118
132
|
- - "<"
|
119
133
|
- !ruby/object:Gem::Version
|
120
134
|
version: '5.0'
|
@@ -124,7 +138,7 @@ dependencies:
|
|
124
138
|
requirements:
|
125
139
|
- - ">="
|
126
140
|
- !ruby/object:Gem::Version
|
127
|
-
version: 3.
|
141
|
+
version: 3.2.0
|
128
142
|
- - "<"
|
129
143
|
- !ruby/object:Gem::Version
|
130
144
|
version: '5.0'
|
@@ -166,16 +180,19 @@ extra_rdoc_files: []
|
|
166
180
|
files:
|
167
181
|
- ".gitignore"
|
168
182
|
- ".rspec"
|
169
|
-
- ".ruby-gemset"
|
170
|
-
- ".ruby-version"
|
171
183
|
- ".travis.yml"
|
172
184
|
- Gemfile
|
185
|
+
- Gemfile.rails-3.2.x
|
186
|
+
- Gemfile.rails-4.0.x
|
187
|
+
- Gemfile.rails-4.1.x
|
188
|
+
- Gemfile.rails-head
|
173
189
|
- Guardfile
|
174
190
|
- LICENSE.txt
|
175
191
|
- README.md
|
176
192
|
- Rakefile
|
177
193
|
- cookieless_sessions.gemspec
|
178
194
|
- lib/cookieless_sessions.rb
|
195
|
+
- lib/cookieless_sessions/rails_32_patch.rb
|
179
196
|
- lib/cookieless_sessions/version.rb
|
180
197
|
- spec/controllers/cookieless_controller_spec.rb
|
181
198
|
- spec/controllers/sub_cookie_controller_from_cookieless_controller_spec.rb
|
@@ -208,11 +225,11 @@ files:
|
|
208
225
|
- spec/dummy/config/initializers/filter_parameter_logging.rb
|
209
226
|
- spec/dummy/config/initializers/inflections.rb
|
210
227
|
- spec/dummy/config/initializers/mime_types.rb
|
228
|
+
- spec/dummy/config/initializers/secret_token.rb
|
211
229
|
- spec/dummy/config/initializers/session_store.rb
|
212
230
|
- spec/dummy/config/initializers/wrap_parameters.rb
|
213
231
|
- spec/dummy/config/locales/en.yml
|
214
232
|
- spec/dummy/config/routes.rb
|
215
|
-
- spec/dummy/config/secrets.yml
|
216
233
|
- spec/dummy/lib/assets/.keep
|
217
234
|
- spec/dummy/log/.keep
|
218
235
|
- spec/dummy/public/404.html
|
@@ -279,11 +296,11 @@ test_files:
|
|
279
296
|
- spec/dummy/config/initializers/filter_parameter_logging.rb
|
280
297
|
- spec/dummy/config/initializers/inflections.rb
|
281
298
|
- spec/dummy/config/initializers/mime_types.rb
|
299
|
+
- spec/dummy/config/initializers/secret_token.rb
|
282
300
|
- spec/dummy/config/initializers/session_store.rb
|
283
301
|
- spec/dummy/config/initializers/wrap_parameters.rb
|
284
302
|
- spec/dummy/config/locales/en.yml
|
285
303
|
- spec/dummy/config/routes.rb
|
286
|
-
- spec/dummy/config/secrets.yml
|
287
304
|
- spec/dummy/lib/assets/.keep
|
288
305
|
- spec/dummy/log/.keep
|
289
306
|
- spec/dummy/public/404.html
|
data/.ruby-gemset
DELETED
@@ -1 +0,0 @@
|
|
1
|
-
cookieless_sessions
|
data/.ruby-version
DELETED
@@ -1 +0,0 @@
|
|
1
|
-
ruby-2.1.1
|
@@ -1,22 +0,0 @@
|
|
1
|
-
# Be sure to restart your server when you modify this file.
|
2
|
-
|
3
|
-
# Your secret key is used for verifying the integrity of signed cookies.
|
4
|
-
# If you change this key, all old signed cookies will become invalid!
|
5
|
-
|
6
|
-
# Make sure the secret is at least 30 characters and all random,
|
7
|
-
# no regular words or you'll be exposed to dictionary attacks.
|
8
|
-
# You can use `rake secret` to generate a secure secret key.
|
9
|
-
|
10
|
-
# Make sure the secrets in this file are kept private
|
11
|
-
# if you're sharing your code publicly.
|
12
|
-
|
13
|
-
development:
|
14
|
-
secret_key_base: bf4acc52f1b964efe6d6f9cd53b1d0f3bbf6a63d2e5a3f59177c8e8343992e680cdf67cb7593012d92794b03d5ede5a68e70c40d703e3b71410d263d40f24d6c
|
15
|
-
|
16
|
-
test:
|
17
|
-
secret_key_base: d5d118e8498b66b90fbce607ed69a9b8ca70689e8583c9cfd2b7996fa74ac8a39c9dac57098f39be071ed9edbefbdee0a72d4024f40aa5d4d882a6886c1cc5fa
|
18
|
-
|
19
|
-
# Do not keep production secrets in the repository,
|
20
|
-
# instead read values from the environment.
|
21
|
-
production:
|
22
|
-
secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>
|