roda 3.9.0 → 3.10.0

data/lib/roda/session_middleware.rb

@@ -0,0 +1,175 @@
+# frozen-string-literal: true
+
+require_relative '../roda'
+require_relative 'plugins/sessions'
+
+# Session middleware that can be used in any Rack application
+# that uses Roda's sessions plugin for encrypted and signed cookies.
+# See Roda::RodaPlugins::Sessions for details on options.
+class RodaSessionMiddleware
+  # Class to hold session data.  This is designed to mimic the API
+  # of Rack::Session::Abstract::SessionHash, but is simpler and faster.
+  # Undocumented methods operate the same as hash methods, but load the
+  # session from the cookie if it hasn't been loaded yet, and convert
+  # keys to strings.
+  #
+  # One difference between SessionHash and Rack::Session::Abstract::SessionHash
+  # is that SessionHash does not attempt to setup a session id, since
+  # one is not needed for cookie-based sessions, only for sessions
+  # that are loaded out of a database.  If you need to have a session id
+  # for other reasons, manually create a session id using a randomly generated
+  # string.
+  class SessionHash
+    # The Roda::RodaRequest subclass instance related to the session.
+    attr_reader :req
+
+    # The underlying data hash, or nil if the session has not yet been
+    # loaded.
+    attr_reader :data
+
+    def initialize(req)
+      @req = req
+    end
+
+    # The Roda sessions plugin options used by the middleware for this
+    # session hash.
+    def options
+      @req.roda_class.opts[:sessions]
+    end
+
+    def each(&block)
+      load!
+      @data.each(&block)
+    end
+
+    def [](key)
+      load!
+      @data[key.to_s]
+    end
+
+    def fetch(key, default = (no_default = true), &block)
+      load!
+      if no_default
+        @data.fetch(key.to_s, &block)
+      else
+        @data.fetch(key.to_s, default, &block)
+      end
+    end
+
+    def has_key?(key)
+      load!
+      @data.has_key?(key.to_s)
+    end
+    alias :key? :has_key?
+    alias :include? :has_key?
+
+    def []=(key, value)
+      load!
+      @data[key.to_s] = value
+    end
+    alias :store :[]=
+
+    # Clear the session, also removing a couple of roda session
+    # keys from the environment so that the related cookie will
+    # either be set or cleared in the rack response.
+    def clear
+      load!
+      env = @req.env
+      env.delete('roda.session.created_at')
+      env.delete('roda.session.updated_at')
+      @data.clear
+    end
+    alias :destroy :clear
+
+    def to_hash
+      load!
+      @data.dup
+    end
+
+    def update(hash)
+      load!
+      hash.each do |key, value|
+        @data[key.to_s] = value
+      end
+      @data
+    end
+    alias :merge! :update
+
+    def replace(hash)
+      load!
+      @data.clear
+      update(hash)
+    end
+
+    def delete(key)
+      load!
+      @data.delete(key.to_s)
+    end
+
+    # If the session hasn't been loaded, display that.
+    def inspect
+      if loaded?
+        @data.inspect
+      else
+        "#<#{self.class}:0x#{self.object_id.to_s(16)} not yet loaded>"
+      end
+    end
+
+    # Return whether the session cookie already exists.
+    # If this is false, then the session was set to an empty hash.
+    def exists?
+      load!
+      req.env.has_key?('roda.session.serialized')
+    end
+
+    # Whether the session has already been loaded from the cookie yet.
+    def loaded?
+      !!defined?(@data)
+    end
+
+    def empty?
+      load!
+      @data.empty?
+    end
+
+    def keys
+      load!
+      @data.keys
+    end
+
+    def values
+      load!
+      @data.values
+    end
+
+    private
+
+    # Load the session from the cookie.
+    def load!
+      @data ||= @req.send(:_load_session)
+    end
+  end
+
+  # Setup the middleware, passing +opts+ as the Roda sessions plugin options.
+  def initialize(app, opts)
+    mid = Class.new(Roda)
+    mid.plugin :sessions, opts
+    @req_class = mid::RodaRequest
+    @app = app
+  end
+
+  # Initialize the session hash in the environment before calling the next
+  # application, and if the session has been loaded after the result has been
+  # returned, then persist the session in the cookie.
+  def call(env)
+    session = env['rack.session'] = SessionHash.new(@req_class.new(nil, env))
+
+    res = @app.call(env)
+
+    if session.loaded?
+      session.req.persist_session(res[1], session.data)
+    end
+
+    res
+  end
+end

data/lib/roda/version.rb

@@ -4,7 +4,7 @@ class Roda
   RodaMajorVersion = 3
 
   # The minor version of Roda, updated for new feature releases of Roda.
-  RodaMinorVersion = 9
+  RodaMinorVersion = 10
 
   # The patch version of Roda, updated only for bug fixes from the last
   # feature release.

data/spec/plugin/csrf_spec.rb

@@ -10,7 +10,7 @@ describe "csrf plugin" do
 
   it "adds csrf protection and csrf helper methods" do
     app(:bare) do
-      use Rack::Session::Cookie, :secret=>'1'
+      use(*DEFAULT_SESSION_MIDDLEWARE_ARGS)
       plugin :csrf, :skip=>['POST:/foo']
 
       route do |r|
@@ -74,7 +74,7 @@ describe "csrf plugin" do
     end
 
     app(:bare) do
-      use Rack::Session::Cookie, :secret=>'1'
+      use(*DEFAULT_SESSION_MIDDLEWARE_ARGS)
       plugin :csrf, :skip=>['POST:/foo/bar']
 
       route do |r|

data/spec/plugin/flash_spec.rb

@@ -5,7 +5,7 @@ describe "flash plugin" do
 
   it "flash.now[] sets flash for current page" do
     app(:bare) do
-      use Rack::Session::Cookie, :secret => "1"
+      send(*DEFAULT_SESSION_ARGS)
       plugin :flash
 
       route do |r|
@@ -21,35 +21,29 @@ describe "flash plugin" do
 
   it "flash[] sets flash for next page" do
     app(:bare) do
-      use Rack::Session::Cookie, :secret => "1"
       plugin :flash
+      send(*DEFAULT_SESSION_ARGS)
 
       route do |r|
-        r.on 'a' do
-          "c#{flash['a']}"
-        end
+        r.get('a'){"c#{flash['a']}"}
+        r.get('f'){flash; session['_flash'].inspect}
 
-        r.on do
-          flash['a'] = "b#{flash['a']}"
-          flash['a'] || ''
-        end
+        flash['a'] = "b#{flash['a']}"
+        flash['a'] || ''
       end
     end
 
-    _, h, b = req
-    b.join.must_equal ''
-    _, h, b = req
-    b.join.must_equal 'b'
-    _, h, b = req
-    b.join.must_equal 'bb'
-    _, h, b = req('/a')
-    b.join.must_equal 'cbbb'
-    _, h, b = req
-    b.join.must_equal ''
-    _, h, b = req
-    b.join.must_equal 'b'
-    _, h, b = req
-    b.join.must_equal 'bb'
+    body.must_equal ''
+    body.must_equal 'b'
+    body.must_equal 'bb'
+
+    body('/a').must_equal 'cbbb'
+    body.must_equal ''
+    body.must_equal 'b'
+    body.must_equal 'bb'
+
+    body('/f').must_equal '{"a"=>"bbb"}'
+    body('/f').must_equal 'nil'
   end
 end
 

data/spec/plugin/heartbeat_spec.rb

@@ -36,7 +36,7 @@ describe "heartbeat plugin" do
 
   it "should work when using sessions" do
     app(:bare) do
-      use Rack::Session::Cookie, :secret=>'foo'
+      send(*DEFAULT_SESSION_ARGS)
       plugin :heartbeat
 
       route do |r|

data/spec/plugin/middleware_spec.rb

@@ -146,4 +146,19 @@ describe "middleware plugin" do
     end
     body.must_equal 'bar'
   end
+
+  it "calls :handle_result option with env and response" do
+    app(:bare) do
+      plugin :middleware, :handle_result=>(proc do |env, res|
+        res[2] << env['foo']
+      end)
+      route{}
+    end
+    mid2 = app
+    app(:bare) do
+      use mid2
+      route{env['foo'] = 'bar'; 'baz'}
+    end
+    body.must_equal 'bazbar'
+  end
 end

data/spec/plugin/route_csrf_spec.rb

@@ -5,7 +5,7 @@ describe "route_csrf plugin" do
 
   def route_csrf_app(opts={}, &block)
     app(:bare) do
-      use Rack::Session::Cookie, :secret=>'1'
+      send(*DEFAULT_SESSION_ARGS) unless opts[:no_sessions_plugin]
       plugin(:route_csrf, opts, &opts[:block])
       route do |r|
         check_csrf! unless env['SKIP']
@@ -257,13 +257,14 @@ rescue LoadError
   warn "rack_csrf not installed, skipping route_csrf plugin test for rack_csrf upgrade"  
 else
   it "supports upgrades from existing rack_csrf token" do
-    route_csrf_app(:upgrade_from_rack_csrf_key=>'csrf.token') do |r|
+    route_csrf_app(:upgrade_from_rack_csrf_key=>'csrf.token', :no_sessions_plugin=>true) do |r|
       r.get 'clear' do
         session.clear
         ''
       end
       Rack::Csrf.token(env)
     end
+    app.use(*DEFAULT_SESSION_MIDDLEWARE_ARGS)
     app.use Rack::Csrf, :skip=>['POST:/foo', 'POST:/bar'], :raise=>true
     token = body
     token.length.wont_equal 84

data/spec/plugin/sessions_spec.rb

@@ -0,0 +1,371 @@
+require_relative "../spec_helper"
+
+if RUBY_VERSION >= '2'
+describe "sessions plugin" do 
+  include CookieJar
+
+  def req(path, opts={})
+    @errors ||= (errors = []; def errors.puts(s) self << s; end; errors)
+    super(path, opts.merge('rack.errors'=>@errors))
+  end
+
+  def errors
+    e = @errors.dup
+    @errors.clear
+    e
+  end
+
+  before do
+    app(:bare) do
+      plugin :sessions, :secret=>'1'*64
+      route do |r|
+        if r.GET['sut']
+          session
+          env['roda.session.updated_at'] -= r.GET['sut'].to_i if r.GET['sut']
+        end
+        r.get('s', String, String){|k, v| session[k] = v}
+        r.get('g',  String){|k| session[k].to_s}
+        r.get('sct'){|i| session; env['roda.session.created_at'].to_s}
+        r.get('ssct', Integer){|i| session; (env['roda.session.created_at'] -= i).to_s}
+        r.get('sc'){session.clear; 'c'}
+        r.get('cs', String, String){|k, v| clear_session; session[k] = v}
+        ''
+      end
+    end
+  end
+
+  it "requires appropriate :secret option" do
+    proc{app(:bare){plugin :sessions}}.must_raise Roda::RodaError
+    proc{app(:bare){plugin :sessions, :secret=>Object.new}}.must_raise Roda::RodaError
+    proc{app(:bare){plugin :sessions, :secret=>'1'*63}}.must_raise Roda::RodaError
+  end
+
+  it "has session store data between requests" do
+    req('/').must_equal [200, {"Content-Type"=>"text/html", "Content-Length"=>"0"}, [""]]
+    body('/s/foo/bar').must_equal 'bar'
+    body('/g/foo').must_equal 'bar'
+
+    body('/s/foo/baz').must_equal 'baz'
+    body('/g/foo').must_equal 'baz'
+
+    body("/s/foo/\u1234").must_equal "\u1234"
+    body("/g/foo").must_equal "\u1234"
+
+    errors.must_equal []
+  end
+
+  it "does not add Set-Cookie header if session does not change, unless outside :skip_within seconds" do
+    req('/').must_equal [200, {"Content-Type"=>"text/html", "Content-Length"=>"0"}, [""]]
+    _, h, b = req('/s/foo/bar')
+    h['Set-Cookie'].must_match(/\Aroda.session/)
+    b.must_equal ["bar"]
+    req('/g/foo').must_equal [200, {"Content-Type"=>"text/html", "Content-Length"=>"3"}, ["bar"]]
+    req('/s/foo/bar').must_equal [200, {"Content-Type"=>"text/html", "Content-Length"=>"3"}, ["bar"]]
+
+    _, h, b = req('/s/foo/baz')
+    h['Set-Cookie'].must_match(/\Aroda.session/)
+    b.must_equal ["baz"]
+    req('/g/foo').must_equal [200, {"Content-Type"=>"text/html", "Content-Length"=>"3"}, ["baz"]]
+
+    req('/g/foo', 'QUERY_STRING'=>'sut=3500').must_equal [200, {"Content-Type"=>"text/html", "Content-Length"=>"3"}, ["baz"]]
+    _, h, b = req('/g/foo', 'QUERY_STRING'=>'sut=3700')
+    h['Set-Cookie'].must_match(/\Aroda.session/)
+    b.must_equal ["baz"]
+
+    @app.plugin(:sessions, :skip_within=>3800)
+    req('/g/foo', 'QUERY_STRING'=>'sut=3700').must_equal [200, {"Content-Type"=>"text/html", "Content-Length"=>"3"}, ["baz"]]
+    _, h, b = req('/g/foo', 'QUERY_STRING'=>'sut=3900')
+    h['Set-Cookie'].must_match(/\Aroda.session/)
+    b.must_equal ["baz"]
+
+    errors.must_equal []
+  end
+
+  it "removes session cookie when session is submitted but empty after request" do
+    body('/s/foo/bar').must_equal 'bar'
+    sct = body('/sct').to_i
+    body('/g/foo').must_equal 'bar'
+
+    _, h, b = req('/sc')
+    h['Set-Cookie'].must_include "roda.session=; max-age=0; expires=Thu, 01 Jan 1970 00:00:00"
+    b.must_equal ['c']
+
+    errors.must_equal []
+  end
+
+  it "sets new session create time when clear_session is called even when session is not empty when serializing" do
+    body('/s/foo/bar').must_equal 'bar'
+    sct = body('/sct').to_i
+    body('/g/foo').must_equal 'bar'
+    body('/sct').to_i.must_equal sct
+    body('/ssct/10').to_i.must_equal(sct - 10)
+
+    body('/cs/foo/baz').must_equal 'baz'
+    body('/sct').to_i.must_be :>=, sct
+
+    errors.must_equal []
+  end
+
+  it "should include HttpOnly and secure cookie options appropriately" do
+    h = header('Set-Cookie', '/s/foo/bar')
+    h.must_include('; HttpOnly')
+    h.wont_include('; secure')
+
+    h = header('Set-Cookie', '/s/foo/baz', 'HTTPS'=>'on')
+    h.must_include('; HttpOnly')
+    h.must_include('; secure')
+
+    @app.plugin(:sessions, :cookie_options=>{})
+    h = header('Set-Cookie', '/s/foo/bar')
+    h.must_include('; HttpOnly')
+    h.wont_include('; secure')
+  end
+
+  it "should merge :cookie_options options into the default cookie options" do
+    @app.plugin(:sessions, :cookie_options=>{:secure=>true})
+    h = header('Set-Cookie', '/s/foo/bar')
+    h.must_include('; HttpOnly')
+    h.must_include('; path=/')
+    h.must_include('; secure')
+  end
+
+  it "handles secret rotation using :old_secret option" do
+    body('/s/foo/bar').must_equal 'bar'
+    body('/g/foo').must_equal 'bar'
+
+    old_cookie = @cookie
+    @app.plugin(:sessions, :secret=>'2'*64, :old_secret=>'1'*64)
+    body('/g/foo', 'QUERY_STRING'=>'sut=3700').must_equal 'bar'
+
+    @app.plugin(:sessions, :secret=>'2'*64, :old_secret=>nil)
+    body('/g/foo', 'QUERY_STRING'=>'sut=3700').must_equal 'bar'
+
+    @cookie = old_cookie
+    body('/g/foo').must_equal ''
+    errors.must_equal ["Not decoding session: HMAC invalid"]
+
+    proc{app(:bare){plugin :sessions, :old_secret=>'1'*63}}.must_raise Roda::RodaError
+    proc{app(:bare){plugin :sessions, :old_secret=>Object.new}}.must_raise Roda::RodaError
+  end
+
+  it "pads data by default to make it more difficult to guess session contents based on size" do
+    long = "bar"*35
+
+    _, h1, b = req('/s/foo/bar')
+    b.must_equal ['bar']
+    _, h2, b = req('/s/foo/bar', 'QUERY_STRING'=>'sut=3700')
+    b.must_equal ['bar']
+    _, h3, b = req('/s/foo/bar2')
+    b.must_equal ['bar2']
+    _, h4, b = req("/s/foo/#{long}")
+    b.must_equal [long]
+    h1['Set-Cookie'].length.must_equal h2['Set-Cookie'].length
+    h1['Set-Cookie'].wont_equal h2['Set-Cookie']
+    h1['Set-Cookie'].length.must_equal h3['Set-Cookie'].length
+    h1['Set-Cookie'].wont_equal h3['Set-Cookie']
+    h1['Set-Cookie'].length.wont_equal h4['Set-Cookie'].length
+
+    @app.plugin(:sessions, :pad_size=>256)
+
+    _, h1, b = req('/s/foo/bar')
+    b.must_equal ['bar']
+    _, h2, b = req('/s/foo/bar', 'QUERY_STRING'=>'sut=3700')
+    b.must_equal ['bar']
+    _, h3, b = req('/s/foo/bar2')
+    b.must_equal ['bar2']
+    _, h4, b = req("/s/foo/#{long}")
+    b.must_equal [long]
+    h1['Set-Cookie'].length.must_equal h2['Set-Cookie'].length
+    h1['Set-Cookie'].wont_equal h2['Set-Cookie']
+    h1['Set-Cookie'].length.must_equal h3['Set-Cookie'].length
+    h1['Set-Cookie'].wont_equal h3['Set-Cookie']
+    h1['Set-Cookie'].length.must_equal h4['Set-Cookie'].length
+    h1['Set-Cookie'].wont_equal h3['Set-Cookie']
+
+    @app.plugin(:sessions, :pad_size=>nil)
+
+    _, h1, b = req('/s/foo/bar')
+    b.must_equal ['bar']
+    _, h2, b = req('/s/foo/bar', 'QUERY_STRING'=>'sut=3700')
+    b.must_equal ['bar']
+    _, h3, b = req('/s/foo/bar2')
+    b.must_equal ['bar2']
+    h1['Set-Cookie'].length.must_equal h2['Set-Cookie'].length
+    h1['Set-Cookie'].wont_equal h2['Set-Cookie']
+    if !defined?(JRUBY_VERSION) || JRUBY_VERSION >= '9.2'
+      h1['Set-Cookie'].length.wont_equal h3['Set-Cookie'].length
+    end
+
+    proc{@app.plugin(:sessions, :pad_size=>0)}.must_raise Roda::RodaError
+    proc{@app.plugin(:sessions, :pad_size=>1)}.must_raise Roda::RodaError
+    proc{@app.plugin(:sessions, :pad_size=>Object.new)}.must_raise Roda::RodaError
+
+    errors.must_equal []
+  end
+
+  it "compresses data over a certain size by default" do
+    long = 'b'*8192
+    body("/s/foo/#{long}").must_equal long
+    body("/g/foo").must_equal long
+
+    @app.plugin(:sessions, :gzip_over=>15000)
+    proc{body("/g/foo", 'QUERY_STRING'=>'sut=3700')}.must_raise Roda::RodaPlugins::Sessions::CookieTooLarge
+
+    @app.plugin(:sessions, :gzip_over=>8000)
+    body("/g/foo", 'QUERY_STRING'=>'sut=3700').must_equal long
+
+    errors.must_equal []
+  end
+
+  it "raises CookieTooLarge if cookie is too large" do
+    proc{req('/s/foo/'+Base64.urlsafe_encode64(SecureRandom.random_bytes(8192)))}.must_raise Roda::RodaPlugins::Sessions::CookieTooLarge
+  end
+
+  it "ignores session cookies if session exceeds max time since create" do
+    body("/s/foo/bar").must_equal 'bar'
+    body("/g/foo").must_equal 'bar'
+
+    @app.plugin(:sessions, :max_seconds=>-1)
+    body("/g/foo").must_equal ''
+    errors.must_equal ["Not returning session: maximum session time expired"]
+
+    @app.plugin(:sessions, :max_seconds=>10)
+    body("/s/foo/bar").must_equal 'bar'
+    body("/g/foo").must_equal 'bar'
+
+    errors.must_equal []
+  end
+
+  it "ignores session cookies if session exceeds max idle time since update" do
+    body("/s/foo/bar").must_equal 'bar'
+    body("/g/foo").must_equal 'bar'
+
+    @app.plugin(:sessions, :max_idle_seconds=>-1)
+    body("/g/foo").must_equal ''
+    errors.must_equal ["Not returning session: maximum session idle time expired"]
+
+    @app.plugin(:sessions, :max_idle_seconds=>10)
+    body("/s/foo/bar").must_equal 'bar'
+    body("/g/foo").must_equal 'bar'
+
+    errors.must_equal []
+  end
+
+  it "supports :serializer and :parser options to override serializer/deserializer" do
+    body('/s/foo/bar').must_equal 'bar'
+
+    @app.plugin(:sessions, :parser=>proc{|s| JSON.parse("{#{s[1...-1].reverse}}")})
+    body('/g/rab').must_equal 'oof'
+
+    @app.plugin(:sessions, :serializer=>proc{|s| s.to_json.upcase})
+
+    body('/s/foo/baz').must_equal 'baz'
+    body('/g/ZAB').must_equal 'OOF'
+
+    errors.must_equal []
+  end
+
+  it "logs session decoding errors to rack.errors" do
+    body('/s/foo/bar').must_equal 'bar'
+    c = @cookie.dup
+    k = c.split('=', 2)[0] + '='
+
+    @cookie[20] = '!'
+    body('/g/foo').must_equal ''
+    errors.must_equal ["Unable to decode session: invalid base64"]
+
+    @cookie = k+Base64.urlsafe_encode64('1'*60)
+    body('/g/foo').must_equal ''
+    errors.must_equal ["Unable to decode session: data too short"]
+
+    @cookie = k+Base64.urlsafe_encode64('1'*75)
+    body('/g/foo').must_equal ''
+    errors.must_equal ["Unable to decode session: version marker unsupported"]
+
+    @cookie = k+Base64.urlsafe_encode64("\0"*75)
+    body('/g/foo').must_equal ''
+    errors.must_equal ["Not decoding session: HMAC invalid"]
+  end
+end
+
+describe "sessions plugin" do 
+  include CookieJar
+
+  def req(path, opts={})
+    @errors ||= (errors = []; def errors.puts(s) self << s; end; errors)
+    super(path, opts.merge('rack.errors'=>@errors))
+  end
+
+  def errors
+    e = @errors.dup
+    @errors.clear
+    e
+  end
+
+  it "supports transparent upgrade from Rack::Session::Cookie with default HMAC and coder" do
+    app(:bare) do
+      use Rack::Session::Cookie, :secret=>'1'
+      plugin :middleware_stack
+      route do |r|
+        r.get('s', String, String){|k, v| session[k] = {:a=>v}; v}
+        r.get('g',  String){|k| session[k].inspect}
+        ''
+      end
+    end
+
+    _, h, b = req('/s/foo/bar')
+    (h['Set-Cookie'] =~ /\A(rack\.session=.*); path=\/; HttpOnly\z/).must_equal 0
+    c = $1
+    b.must_equal ['bar']
+    _, h, b = req('/g/foo')
+    h['Set-Cookie'].must_be_nil
+    b.must_equal ['{:a=>"bar"}']
+
+    @app.plugin :sessions, :secret=>'1'*64,
+                :upgrade_from_rack_session_cookie_secret=>'1'
+    @app.middleware_stack.remove{|m, *| m == Rack::Session::Cookie}
+
+    @cookie = c.dup
+    @cookie.slice!(15)
+    body('/g/foo').must_equal 'nil'
+    errors.must_equal ["Not decoding Rack::Session::Cookie session: HMAC invalid"]
+
+    @cookie = c.split('--', 2)[0]
+    body('/g/foo').must_equal 'nil'
+    errors.must_equal ["Not decoding Rack::Session::Cookie session: invalid format"]
+
+    @cookie = c.split('--', 2)[0][13..-1]
+    @cookie = Rack::Utils.unescape(@cookie).unpack('m')[0]
+    @cookie[2] = "^"
+    @cookie = [@cookie].pack('m')
+    cookie = String.new
+    cookie << 'rack.session=' << @cookie << '--' << OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, '1', @cookie)
+    @cookie = cookie
+    body('/g/foo').must_equal 'nil'
+    errors.must_equal ["Error decoding Rack::Session::Cookie session: not base64 encoded marshal dump"]
+
+    @cookie = c
+    _, h, b = req('/g/foo')
+    h['Set-Cookie'].must_match(/\Aroda\.session=(.*); path=\/; HttpOnly(; SameSite=Lax)?\nrack\.session=; path=\/; max-age=0; expires=Thu, 01 Jan 1970 00:00:00/m)
+    b.must_equal ['{"a"=>"bar"}']
+
+    @app.plugin :sessions, :cookie_options=>{:path=>'/foo'}, :upgrade_from_rack_session_cookie_options=>{}
+    @cookie = c
+    _, h, b = req('/g/foo')
+    h['Set-Cookie'].must_match(/\Aroda\.session=(.*); path=\/foo; HttpOnly(; SameSite=Lax)?\nrack\.session=; path=\/foo; max-age=0; expires=Thu, 01 Jan 1970 00:00:00/m)
+    b.must_equal ['{"a"=>"bar"}']
+
+    @app.plugin :sessions, :upgrade_from_rack_session_cookie_options=>{:path=>'/baz'}
+    @cookie = c
+    _, h, b = req('/g/foo')
+    h['Set-Cookie'].must_match(/\Aroda\.session=(.*); path=\/foo; HttpOnly(; SameSite=Lax)?\nrack\.session=; path=\/baz; max-age=0; expires=Thu, 01 Jan 1970 00:00:00/m)
+    b.must_equal ['{"a"=>"bar"}']
+
+    @app.plugin :sessions, :upgrade_from_rack_session_cookie_key=>'quux.session'
+    @cookie = c.sub(/\Arack/, 'quux')
+    _, h, b = req('/g/foo')
+    h['Set-Cookie'].must_match(/\Aroda\.session=(.*); path=\/foo; HttpOnly(; SameSite=Lax)?\nquux\.session=; path=\/baz; max-age=0; expires=Thu, 01 Jan 1970 00:00:00/m)
+    b.must_equal ['{"a"=>"bar"}']
+  end
+end
+end