safe_cookies 0.2.1 → 0.2.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +5 -13
- data/.gitignore +1 -0
- data/README.md +72 -49
- data/lib/safe_cookies/version.rb +1 -1
- data/safe_cookies.gemspec +1 -0
- metadata +16 -16
checksums.yaml
CHANGED
|
@@ -1,15 +1,7 @@
|
|
|
1
1
|
---
|
|
2
|
-
|
|
3
|
-
metadata.gz:
|
|
4
|
-
|
|
5
|
-
data.tar.gz: !binary |-
|
|
6
|
-
NDliMDkwMDFjOTMxZDVhNmU4NjgyZDgxZTQ1OWQ1N2E4NjFhNmZmYw==
|
|
2
|
+
SHA256:
|
|
3
|
+
metadata.gz: 7175011cd4a253c98779e5fdb5d221ea99dbbe5708e3a9dce37547ac89d29361
|
|
4
|
+
data.tar.gz: 08e2daf10fdd7ec2a115162969eaffd241edca9f82671a146bfafd381bd9f7a3
|
|
7
5
|
SHA512:
|
|
8
|
-
metadata.gz:
|
|
9
|
-
|
|
10
|
-
YmY0NTdiOGUxODQ4NWFiOTUzOTUyMjM0MTU2ZWUyOGQ3OGUxYjZhMDYzZGFk
|
|
11
|
-
ZDc5NTcwYjg2Zjc5MWM0MzgwMGE3YTA2NGMyZmQxYmIyOTg5NGY=
|
|
12
|
-
data.tar.gz: !binary |-
|
|
13
|
-
NWI3YmNhNzE2ODI1YzQ2ZGQ0NTk3NTAxODg5MTFhMWI0MDIxYWJmODNlZTU2
|
|
14
|
-
ZjVjZDRkYjE1YmNlNTU4YTIwYTYxNTMyNDFjMWQ2MGFiOTU3ZGNkNTlmZmZi
|
|
15
|
-
ZTdlOTI1M2ZhNTE1NDQzZTRiNTIzMjc2NTYxYzk3MGQ1Zjk5N2Q=
|
|
6
|
+
metadata.gz: 8f9932ab978f4cdeabc001314496ffed4214f9a966b45847e246c2c78730b1388ee1169a4def1864edb78481fbb30cefbffe29fd366f1a3abe207d107175c681
|
|
7
|
+
data.tar.gz: d42dbf95c6d38e99c1e0f356f31925ef6da59ba465a768ad5d25f573a02bb75e671330dbe6dfc4a52bf039879eab7ee53fe371d50d7e540ddaa5f87cd93aa8f6
|
data/.gitignore
CHANGED
data/README.md
CHANGED
|
@@ -1,47 +1,61 @@
|
|
|
1
|
+
# This gem is no longer maintained!
|
|
2
|
+
|
|
3
|
+
Read about [reasons and alternatives](https://makandracards.com/makandra/53693-rails-making-all-cookies-secure-to-pass-a-security-audit).
|
|
4
|
+
|
|
5
|
+
|
|
6
|
+
--------------------
|
|
7
|
+
|
|
1
8
|
# SafeCookies
|
|
2
9
|
|
|
3
|
-
This gem has a middleware that will make all cookies secure
|
|
4
|
-
|
|
10
|
+
This gem has a middleware that will make all cookies secure, by setting the
|
|
11
|
+
`HttpOnly` and the `secure` flag for all cookies the application sets on the
|
|
12
|
+
client.
|
|
13
|
+
|
|
14
|
+
Making a cookie `HttpOnly` prevents Javascripts from seeing it, which really
|
|
15
|
+
should be the default. It makes it way harder to steal cookie information via
|
|
16
|
+
malicious Javascript.
|
|
5
17
|
|
|
6
|
-
|
|
7
|
-
|
|
18
|
+
Making a cookie `secure` tells the browser to only send the cookie over HTTPS
|
|
19
|
+
connections, protecting it from being sniffed by a man-in-the-middle. (Setting a
|
|
20
|
+
[HSTS](http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) header
|
|
21
|
+
achieves the same, but Safari < 7 and IE < 11 don't speak HSTS.)
|
|
22
|
+
|
|
23
|
+
SafeCookies will *additionally* rewrite all cookies the user is sending. **But**
|
|
24
|
+
it can only do so, if the cookie was registered before (see below). It will rewrite
|
|
25
|
+
user cookies only once per user.
|
|
8
26
|
|
|
9
|
-
2) rewrite request cookies, setting both flags as above
|
|
10
27
|
|
|
11
28
|
## Installation
|
|
12
29
|
|
|
13
|
-
|
|
14
|
-
Add `gem 'safe_cookies'` to your application's Gemfile, then run `bundle install`.
|
|
30
|
+
1. Add `gem 'safe_cookies'` to your application's Gemfile, then run `bundle install`.
|
|
15
31
|
|
|
16
|
-
|
|
17
|
-
**Rails 3 and 4**: add the following lines to the application block in config/application.rb:
|
|
32
|
+
2. Add a configuration block in an initializer (e.g. `config/initializers/safe_cookies.rb`):
|
|
18
33
|
|
|
19
|
-
|
|
20
|
-
|
|
34
|
+
SafeCookies.configure do |config|
|
|
35
|
+
# configuration ...
|
|
36
|
+
end
|
|
21
37
|
|
|
22
|
-
|
|
38
|
+
3. Register the middleware:
|
|
23
39
|
|
|
24
|
-
|
|
25
|
-
config.middleware.insert_before ActionController::Session::CookieStore, SafeCookies::Middleware
|
|
40
|
+
Rails 3+: add the following lines to the application block in `config/application.rb`:
|
|
26
41
|
|
|
42
|
+
require 'safe_cookies'
|
|
43
|
+
config.middleware.insert_before ActionDispatch::Cookies, SafeCookies::Middleware
|
|
27
44
|
|
|
28
|
-
|
|
29
|
-
a cookie to be accessible via HTTP or Javascript?
|
|
45
|
+
Rails 2: add the following lines to the initializer block in `config/environment.rb`:
|
|
30
46
|
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
registering them. Do it either just after the lines you added above or in an
|
|
34
|
-
initializer (e.g. in `config/initializers/safe_cookies.rb`). The `:expire_after` option is required.
|
|
47
|
+
require 'safe_cookies'
|
|
48
|
+
config.middleware.insert_before ActionController::Session::CookieStore, SafeCookies::Middleware
|
|
35
49
|
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
50
|
+
Now all new cookies will be made `secure` and `HttpOnly`. But what about cookies
|
|
51
|
+
already out there?
|
|
52
|
+
|
|
53
|
+
|
|
54
|
+
## Updating existing cookies
|
|
40
55
|
|
|
41
|
-
### Employing SafeCookies in apps that are already running in production
|
|
42
56
|
Unfortunately, [the client won't ever tell us](http://tools.ietf.org/html/rfc6265#section-4.2.2)
|
|
43
|
-
if it stores
|
|
44
|
-
|
|
57
|
+
if it stores a cookie with flags such as `secure` or which expiry date it is
|
|
58
|
+
stored with. Therefore, in order to make the middleware retroactively secure
|
|
45
59
|
cookies owned by the client, you need to register each of those cookies with
|
|
46
60
|
the middleware, specifying their properties.
|
|
47
61
|
|
|
@@ -49,47 +63,56 @@ Carefully scan your app for cookies you are using. There's no easy way to find
|
|
|
49
63
|
out if you missed one (but see below for some help the gem provides).
|
|
50
64
|
|
|
51
65
|
SafeCookies.configure do |config|
|
|
52
|
-
config.register_cookie
|
|
53
|
-
config.register_cookie
|
|
66
|
+
config.register_cookie 'remember_token', :expire_after => 1.year
|
|
67
|
+
config.register_cookie 'last_action', :expire_after => 30.days, :path => '/commerce'
|
|
54
68
|
end
|
|
55
69
|
|
|
56
70
|
Available options are: `:expire_after` (required)`, :path, :secure, :http_only`.
|
|
71
|
+
For cookies with "session" expiry, set `:expire_after => nil`.
|
|
57
72
|
|
|
58
73
|
|
|
59
|
-
##
|
|
74
|
+
## Having a cookie non-secure or non-HttpOnly
|
|
75
|
+
|
|
76
|
+
Tell SafeCookies which cookies not to make `secure` or `HttpOnly` by registering
|
|
77
|
+
them, just like above:
|
|
78
|
+
|
|
79
|
+
SafeCookies.configure do |config|
|
|
80
|
+
config.register_cookie 'default_language', :expire_after => 10.years, :secure => false
|
|
81
|
+
config.register_cookie 'javascript_data', :expire_after => 1.day, :http_only => false
|
|
82
|
+
end
|
|
83
|
+
|
|
84
|
+
|
|
85
|
+
## Finding unregistered user cookies
|
|
60
86
|
|
|
61
87
|
There are lots of cookies your application receives that you never did set.
|
|
62
88
|
However, if you want to know about any unknown cookies touching your
|
|
63
|
-
application, SafeCookies
|
|
89
|
+
application, SafeCookies gives you two tools.
|
|
64
90
|
|
|
65
|
-
1) If you set `config.log_unknown_cookies = true` in the configuration, all
|
|
91
|
+
1) If you set `config.log_unknown_cookies = true` in the configuration block, all
|
|
66
92
|
unknown cookies will be written to the Rails log. When you start implementing
|
|
67
93
|
the middleware, closely watch it to find cookies you forgot to register.
|
|
68
94
|
|
|
69
95
|
2) You may overwrite `SafeCookies::Middleware#handle_unknown_cookies(cookies)`
|
|
70
|
-
in the
|
|
96
|
+
in the configuration block for customized behaviour (like, notifying you per
|
|
71
97
|
email).
|
|
72
98
|
|
|
73
|
-
|
|
74
|
-
|
|
75
|
-
|
|
76
|
-
The middleware won't see request cookies that are configured to be ignored. Use this to keep your logs lean, if you are using the `log_unknown_cookies` option.
|
|
77
|
-
|
|
78
|
-
You can tell the middleware to ignore cookies with the `config.ignore_cookie`
|
|
79
|
-
directive, which takes either a String or a Regex parameter. Be careful when using regular expressions!
|
|
99
|
+
To ignore cookies that are irrelevant to you, you may configure them to be
|
|
100
|
+
ignored. Use the `config.ignore_cookie` directive, which takes either a String
|
|
101
|
+
or a Regex parameter. *Be careful when using regular expressions!*
|
|
80
102
|
|
|
81
103
|
|
|
82
|
-
##
|
|
104
|
+
## Fixing cookie paths
|
|
83
105
|
|
|
84
|
-
In August 2013 we noticed a bug in SafeCookies < 0.1.4, by which secured cookies
|
|
85
|
-
current "directory" (see comments in `cookie_path_fix.rb`)
|
|
86
|
-
|
|
106
|
+
In August 2013 we noticed a bug in SafeCookies < 0.1.4, by which secured cookies
|
|
107
|
+
would be set for the current "directory" (see comments in `cookie_path_fix.rb`)
|
|
108
|
+
instead of root (which usually is what you want). Users would get multiple
|
|
109
|
+
cookies for that domain, leading to issues like being unable to sign in.
|
|
87
110
|
|
|
88
|
-
The configuration option `config.fix_paths` turns on fixing this error. It
|
|
89
|
-
`:for_cookies_secured_before => Time.parse('some minutes after
|
|
90
|
-
|
|
91
|
-
|
|
92
|
-
|
|
111
|
+
The configuration option `config.fix_paths` turns on fixing this error. It
|
|
112
|
+
expects an option `:for_cookies_secured_before => Time.parse('some minutes after
|
|
113
|
+
you will have deployed')` which reflects the point of time from which SafeCookies
|
|
114
|
+
can expect cookies to be set with the correct path. It will only rewrite cookies
|
|
115
|
+
with a new path if it had set them before that point of time.
|
|
93
116
|
|
|
94
117
|
|
|
95
118
|
## Development
|
data/lib/safe_cookies/version.rb
CHANGED
data/safe_cookies.gemspec
CHANGED
|
@@ -7,6 +7,7 @@ Gem::Specification.new do |gem|
|
|
|
7
7
|
gem.description = %q{Make all cookies `secure` and `HttpOnly`.}
|
|
8
8
|
gem.summary = %q{Make all cookies `secure` and `HttpOnly`.}
|
|
9
9
|
gem.homepage = "http://www.makandra.de"
|
|
10
|
+
gem.license = "MIT"
|
|
10
11
|
|
|
11
12
|
gem.files = `git ls-files`.split($\)
|
|
12
13
|
gem.executables = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
|
metadata
CHANGED
|
@@ -1,69 +1,69 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: safe_cookies
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.2.
|
|
4
|
+
version: 0.2.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dominik Schöler
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2021-04-06 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rack
|
|
15
15
|
requirement: !ruby/object:Gem::Requirement
|
|
16
16
|
requirements:
|
|
17
|
-
- -
|
|
17
|
+
- - ">="
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
19
|
version: '0'
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
|
-
- -
|
|
24
|
+
- - ">="
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
26
|
version: '0'
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: rspec
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
|
30
30
|
requirements:
|
|
31
|
-
- -
|
|
31
|
+
- - ">="
|
|
32
32
|
- !ruby/object:Gem::Version
|
|
33
33
|
version: '0'
|
|
34
34
|
type: :development
|
|
35
35
|
prerelease: false
|
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
|
37
37
|
requirements:
|
|
38
|
-
- -
|
|
38
|
+
- - ">="
|
|
39
39
|
- !ruby/object:Gem::Version
|
|
40
40
|
version: '0'
|
|
41
41
|
- !ruby/object:Gem::Dependency
|
|
42
42
|
name: timecop
|
|
43
43
|
requirement: !ruby/object:Gem::Requirement
|
|
44
44
|
requirements:
|
|
45
|
-
- -
|
|
45
|
+
- - ">="
|
|
46
46
|
- !ruby/object:Gem::Version
|
|
47
47
|
version: '0'
|
|
48
48
|
type: :development
|
|
49
49
|
prerelease: false
|
|
50
50
|
version_requirements: !ruby/object:Gem::Requirement
|
|
51
51
|
requirements:
|
|
52
|
-
- -
|
|
52
|
+
- - ">="
|
|
53
53
|
- !ruby/object:Gem::Version
|
|
54
54
|
version: '0'
|
|
55
55
|
- !ruby/object:Gem::Dependency
|
|
56
56
|
name: debugger
|
|
57
57
|
requirement: !ruby/object:Gem::Requirement
|
|
58
58
|
requirements:
|
|
59
|
-
- -
|
|
59
|
+
- - ">="
|
|
60
60
|
- !ruby/object:Gem::Version
|
|
61
61
|
version: '0'
|
|
62
62
|
type: :development
|
|
63
63
|
prerelease: false
|
|
64
64
|
version_requirements: !ruby/object:Gem::Requirement
|
|
65
65
|
requirements:
|
|
66
|
-
- -
|
|
66
|
+
- - ">="
|
|
67
67
|
- !ruby/object:Gem::Version
|
|
68
68
|
version: '0'
|
|
69
69
|
description: Make all cookies `secure` and `HttpOnly`.
|
|
@@ -73,7 +73,7 @@ executables: []
|
|
|
73
73
|
extensions: []
|
|
74
74
|
extra_rdoc_files: []
|
|
75
75
|
files:
|
|
76
|
-
- .gitignore
|
|
76
|
+
- ".gitignore"
|
|
77
77
|
- Gemfile
|
|
78
78
|
- LICENSE
|
|
79
79
|
- README.md
|
|
@@ -91,7 +91,8 @@ files:
|
|
|
91
91
|
- spec/spec_helper.rb
|
|
92
92
|
- spec/util_spec.rb
|
|
93
93
|
homepage: http://www.makandra.de
|
|
94
|
-
licenses:
|
|
94
|
+
licenses:
|
|
95
|
+
- MIT
|
|
95
96
|
metadata: {}
|
|
96
97
|
post_install_message:
|
|
97
98
|
rdoc_options: []
|
|
@@ -99,17 +100,16 @@ require_paths:
|
|
|
99
100
|
- lib
|
|
100
101
|
required_ruby_version: !ruby/object:Gem::Requirement
|
|
101
102
|
requirements:
|
|
102
|
-
- -
|
|
103
|
+
- - ">="
|
|
103
104
|
- !ruby/object:Gem::Version
|
|
104
105
|
version: '0'
|
|
105
106
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
106
107
|
requirements:
|
|
107
|
-
- -
|
|
108
|
+
- - ">="
|
|
108
109
|
- !ruby/object:Gem::Version
|
|
109
110
|
version: '0'
|
|
110
111
|
requirements: []
|
|
111
|
-
|
|
112
|
-
rubygems_version: 2.1.2
|
|
112
|
+
rubygems_version: 3.2.15
|
|
113
113
|
signing_key:
|
|
114
114
|
specification_version: 4
|
|
115
115
|
summary: Make all cookies `secure` and `HttpOnly`.
|