safe_cookies 0.2.1 → 0.2.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -13
- data/.gitignore +1 -0
- data/README.md +72 -49
- data/lib/safe_cookies/version.rb +1 -1
- data/safe_cookies.gemspec +1 -0
- metadata +16 -16
checksums.yaml
CHANGED
|
@@ -1,15 +1,7 @@
|
|
|
1
1
|
---
|
|
2
|
-
|
|
3
|
-
metadata.gz:
|
|
4
|
-
|
|
5
|
-
data.tar.gz: !binary |-
|
|
6
|
-
NDliMDkwMDFjOTMxZDVhNmU4NjgyZDgxZTQ1OWQ1N2E4NjFhNmZmYw==
|
|
2
|
+
SHA256:
|
|
3
|
+
metadata.gz: 7175011cd4a253c98779e5fdb5d221ea99dbbe5708e3a9dce37547ac89d29361
|
|
4
|
+
data.tar.gz: 08e2daf10fdd7ec2a115162969eaffd241edca9f82671a146bfafd381bd9f7a3
|
|
7
5
|
SHA512:
|
|
8
|
-
metadata.gz:
|
|
9
|
-
|
|
10
|
-
YmY0NTdiOGUxODQ4NWFiOTUzOTUyMjM0MTU2ZWUyOGQ3OGUxYjZhMDYzZGFk
|
|
11
|
-
ZDc5NTcwYjg2Zjc5MWM0MzgwMGE3YTA2NGMyZmQxYmIyOTg5NGY=
|
|
12
|
-
data.tar.gz: !binary |-
|
|
13
|
-
NWI3YmNhNzE2ODI1YzQ2ZGQ0NTk3NTAxODg5MTFhMWI0MDIxYWJmODNlZTU2
|
|
14
|
-
ZjVjZDRkYjE1YmNlNTU4YTIwYTYxNTMyNDFjMWQ2MGFiOTU3ZGNkNTlmZmZi
|
|
15
|
-
ZTdlOTI1M2ZhNTE1NDQzZTRiNTIzMjc2NTYxYzk3MGQ1Zjk5N2Q=
|
|
6
|
+
metadata.gz: 8f9932ab978f4cdeabc001314496ffed4214f9a966b45847e246c2c78730b1388ee1169a4def1864edb78481fbb30cefbffe29fd366f1a3abe207d107175c681
|
|
7
|
+
data.tar.gz: d42dbf95c6d38e99c1e0f356f31925ef6da59ba465a768ad5d25f573a02bb75e671330dbe6dfc4a52bf039879eab7ee53fe371d50d7e540ddaa5f87cd93aa8f6
|
data/.gitignore
CHANGED
data/README.md
CHANGED
|
@@ -1,47 +1,61 @@
|
|
|
1
|
+
# This gem is no longer maintained!
|
|
2
|
+
|
|
3
|
+
Read about [reasons and alternatives](https://makandracards.com/makandra/53693-rails-making-all-cookies-secure-to-pass-a-security-audit).
|
|
4
|
+
|
|
5
|
+
|
|
6
|
+
--------------------
|
|
7
|
+
|
|
1
8
|
# SafeCookies
|
|
2
9
|
|
|
3
|
-
This gem has a middleware that will make all cookies secure
|
|
4
|
-
|
|
10
|
+
This gem has a middleware that will make all cookies secure, by setting the
|
|
11
|
+
`HttpOnly` and the `secure` flag for all cookies the application sets on the
|
|
12
|
+
client.
|
|
13
|
+
|
|
14
|
+
Making a cookie `HttpOnly` prevents Javascripts from seeing it, which really
|
|
15
|
+
should be the default. It makes it way harder to steal cookie information via
|
|
16
|
+
malicious Javascript.
|
|
5
17
|
|
|
6
|
-
|
|
7
|
-
|
|
18
|
+
Making a cookie `secure` tells the browser to only send the cookie over HTTPS
|
|
19
|
+
connections, protecting it from being sniffed by a man-in-the-middle. (Setting a
|
|
20
|
+
[HSTS](http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) header
|
|
21
|
+
achieves the same, but Safari < 7 and IE < 11 don't speak HSTS.)
|
|
22
|
+
|
|
23
|
+
SafeCookies will *additionally* rewrite all cookies the user is sending. **But**
|
|
24
|
+
it can only do so, if the cookie was registered before (see below). It will rewrite
|
|
25
|
+
user cookies only once per user.
|
|
8
26
|
|
|
9
|
-
2) rewrite request cookies, setting both flags as above
|
|
10
27
|
|
|
11
28
|
## Installation
|
|
12
29
|
|
|
13
|
-
|
|
14
|
-
Add `gem 'safe_cookies'` to your application's Gemfile, then run `bundle install`.
|
|
30
|
+
1. Add `gem 'safe_cookies'` to your application's Gemfile, then run `bundle install`.
|
|
15
31
|
|
|
16
|
-
|
|
17
|
-
**Rails 3 and 4**: add the following lines to the application block in config/application.rb:
|
|
32
|
+
2. Add a configuration block in an initializer (e.g. `config/initializers/safe_cookies.rb`):
|
|
18
33
|
|
|
19
|
-
|
|
20
|
-
|
|
34
|
+
SafeCookies.configure do |config|
|
|
35
|
+
# configuration ...
|
|
36
|
+
end
|
|
21
37
|
|
|
22
|
-
|
|
38
|
+
3. Register the middleware:
|
|
23
39
|
|
|
24
|
-
|
|
25
|
-
config.middleware.insert_before ActionController::Session::CookieStore, SafeCookies::Middleware
|
|
40
|
+
Rails 3+: add the following lines to the application block in `config/application.rb`:
|
|
26
41
|
|
|
42
|
+
require 'safe_cookies'
|
|
43
|
+
config.middleware.insert_before ActionDispatch::Cookies, SafeCookies::Middleware
|
|
27
44
|
|
|
28
|
-
|
|
29
|
-
a cookie to be accessible via HTTP or Javascript?
|
|
45
|
+
Rails 2: add the following lines to the initializer block in `config/environment.rb`:
|
|
30
46
|
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
registering them. Do it either just after the lines you added above or in an
|
|
34
|
-
initializer (e.g. in `config/initializers/safe_cookies.rb`). The `:expire_after` option is required.
|
|
47
|
+
require 'safe_cookies'
|
|
48
|
+
config.middleware.insert_before ActionController::Session::CookieStore, SafeCookies::Middleware
|
|
35
49
|
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
50
|
+
Now all new cookies will be made `secure` and `HttpOnly`. But what about cookies
|
|
51
|
+
already out there?
|
|
52
|
+
|
|
53
|
+
|
|
54
|
+
## Updating existing cookies
|
|
40
55
|
|
|
41
|
-
### Employing SafeCookies in apps that are already running in production
|
|
42
56
|
Unfortunately, [the client won't ever tell us](http://tools.ietf.org/html/rfc6265#section-4.2.2)
|
|
43
|
-
if it stores
|
|
44
|
-
|
|
57
|
+
if it stores a cookie with flags such as `secure` or which expiry date it is
|
|
58
|
+
stored with. Therefore, in order to make the middleware retroactively secure
|
|
45
59
|
cookies owned by the client, you need to register each of those cookies with
|
|
46
60
|
the middleware, specifying their properties.
|
|
47
61
|
|
|
@@ -49,47 +63,56 @@ Carefully scan your app for cookies you are using. There's no easy way to find
|
|
|
49
63
|
out if you missed one (but see below for some help the gem provides).
|
|
50
64
|
|
|
51
65
|
SafeCookies.configure do |config|
|
|
52
|
-
config.register_cookie
|
|
53
|
-
config.register_cookie
|
|
66
|
+
config.register_cookie 'remember_token', :expire_after => 1.year
|
|
67
|
+
config.register_cookie 'last_action', :expire_after => 30.days, :path => '/commerce'
|
|
54
68
|
end
|
|
55
69
|
|
|
56
70
|
Available options are: `:expire_after` (required)`, :path, :secure, :http_only`.
|
|
71
|
+
For cookies with "session" expiry, set `:expire_after => nil`.
|
|
57
72
|
|
|
58
73
|
|
|
59
|
-
##
|
|
74
|
+
## Having a cookie non-secure or non-HttpOnly
|
|
75
|
+
|
|
76
|
+
Tell SafeCookies which cookies not to make `secure` or `HttpOnly` by registering
|
|
77
|
+
them, just like above:
|
|
78
|
+
|
|
79
|
+
SafeCookies.configure do |config|
|
|
80
|
+
config.register_cookie 'default_language', :expire_after => 10.years, :secure => false
|
|
81
|
+
config.register_cookie 'javascript_data', :expire_after => 1.day, :http_only => false
|
|
82
|
+
end
|
|
83
|
+
|
|
84
|
+
|
|
85
|
+
## Finding unregistered user cookies
|
|
60
86
|
|
|
61
87
|
There are lots of cookies your application receives that you never did set.
|
|
62
88
|
However, if you want to know about any unknown cookies touching your
|
|
63
|
-
application, SafeCookies
|
|
89
|
+
application, SafeCookies gives you two tools.
|
|
64
90
|
|
|
65
|
-
1) If you set `config.log_unknown_cookies = true` in the configuration, all
|
|
91
|
+
1) If you set `config.log_unknown_cookies = true` in the configuration block, all
|
|
66
92
|
unknown cookies will be written to the Rails log. When you start implementing
|
|
67
93
|
the middleware, closely watch it to find cookies you forgot to register.
|
|
68
94
|
|
|
69
95
|
2) You may overwrite `SafeCookies::Middleware#handle_unknown_cookies(cookies)`
|
|
70
|
-
in the
|
|
96
|
+
in the configuration block for customized behaviour (like, notifying you per
|
|
71
97
|
email).
|
|
72
98
|
|
|
73
|
-
|
|
74
|
-
|
|
75
|
-
|
|
76
|
-
The middleware won't see request cookies that are configured to be ignored. Use this to keep your logs lean, if you are using the `log_unknown_cookies` option.
|
|
77
|
-
|
|
78
|
-
You can tell the middleware to ignore cookies with the `config.ignore_cookie`
|
|
79
|
-
directive, which takes either a String or a Regex parameter. Be careful when using regular expressions!
|
|
99
|
+
To ignore cookies that are irrelevant to you, you may configure them to be
|
|
100
|
+
ignored. Use the `config.ignore_cookie` directive, which takes either a String
|
|
101
|
+
or a Regex parameter. *Be careful when using regular expressions!*
|
|
80
102
|
|
|
81
103
|
|
|
82
|
-
##
|
|
104
|
+
## Fixing cookie paths
|
|
83
105
|
|
|
84
|
-
In August 2013 we noticed a bug in SafeCookies < 0.1.4, by which secured cookies
|
|
85
|
-
current "directory" (see comments in `cookie_path_fix.rb`)
|
|
86
|
-
|
|
106
|
+
In August 2013 we noticed a bug in SafeCookies < 0.1.4, by which secured cookies
|
|
107
|
+
would be set for the current "directory" (see comments in `cookie_path_fix.rb`)
|
|
108
|
+
instead of root (which usually is what you want). Users would get multiple
|
|
109
|
+
cookies for that domain, leading to issues like being unable to sign in.
|
|
87
110
|
|
|
88
|
-
The configuration option `config.fix_paths` turns on fixing this error. It
|
|
89
|
-
`:for_cookies_secured_before => Time.parse('some minutes after
|
|
90
|
-
|
|
91
|
-
|
|
92
|
-
|
|
111
|
+
The configuration option `config.fix_paths` turns on fixing this error. It
|
|
112
|
+
expects an option `:for_cookies_secured_before => Time.parse('some minutes after
|
|
113
|
+
you will have deployed')` which reflects the point of time from which SafeCookies
|
|
114
|
+
can expect cookies to be set with the correct path. It will only rewrite cookies
|
|
115
|
+
with a new path if it had set them before that point of time.
|
|
93
116
|
|
|
94
117
|
|
|
95
118
|
## Development
|
data/lib/safe_cookies/version.rb
CHANGED
data/safe_cookies.gemspec
CHANGED
|
@@ -7,6 +7,7 @@ Gem::Specification.new do |gem|
|
|
|
7
7
|
gem.description = %q{Make all cookies `secure` and `HttpOnly`.}
|
|
8
8
|
gem.summary = %q{Make all cookies `secure` and `HttpOnly`.}
|
|
9
9
|
gem.homepage = "http://www.makandra.de"
|
|
10
|
+
gem.license = "MIT"
|
|
10
11
|
|
|
11
12
|
gem.files = `git ls-files`.split($\)
|
|
12
13
|
gem.executables = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
|
metadata
CHANGED
|
@@ -1,69 +1,69 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: safe_cookies
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.2.
|
|
4
|
+
version: 0.2.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dominik Schöler
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2021-04-06 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rack
|
|
15
15
|
requirement: !ruby/object:Gem::Requirement
|
|
16
16
|
requirements:
|
|
17
|
-
- -
|
|
17
|
+
- - ">="
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
19
|
version: '0'
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
|
-
- -
|
|
24
|
+
- - ">="
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
26
|
version: '0'
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: rspec
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
|
30
30
|
requirements:
|
|
31
|
-
- -
|
|
31
|
+
- - ">="
|
|
32
32
|
- !ruby/object:Gem::Version
|
|
33
33
|
version: '0'
|
|
34
34
|
type: :development
|
|
35
35
|
prerelease: false
|
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
|
37
37
|
requirements:
|
|
38
|
-
- -
|
|
38
|
+
- - ">="
|
|
39
39
|
- !ruby/object:Gem::Version
|
|
40
40
|
version: '0'
|
|
41
41
|
- !ruby/object:Gem::Dependency
|
|
42
42
|
name: timecop
|
|
43
43
|
requirement: !ruby/object:Gem::Requirement
|
|
44
44
|
requirements:
|
|
45
|
-
- -
|
|
45
|
+
- - ">="
|
|
46
46
|
- !ruby/object:Gem::Version
|
|
47
47
|
version: '0'
|
|
48
48
|
type: :development
|
|
49
49
|
prerelease: false
|
|
50
50
|
version_requirements: !ruby/object:Gem::Requirement
|
|
51
51
|
requirements:
|
|
52
|
-
- -
|
|
52
|
+
- - ">="
|
|
53
53
|
- !ruby/object:Gem::Version
|
|
54
54
|
version: '0'
|
|
55
55
|
- !ruby/object:Gem::Dependency
|
|
56
56
|
name: debugger
|
|
57
57
|
requirement: !ruby/object:Gem::Requirement
|
|
58
58
|
requirements:
|
|
59
|
-
- -
|
|
59
|
+
- - ">="
|
|
60
60
|
- !ruby/object:Gem::Version
|
|
61
61
|
version: '0'
|
|
62
62
|
type: :development
|
|
63
63
|
prerelease: false
|
|
64
64
|
version_requirements: !ruby/object:Gem::Requirement
|
|
65
65
|
requirements:
|
|
66
|
-
- -
|
|
66
|
+
- - ">="
|
|
67
67
|
- !ruby/object:Gem::Version
|
|
68
68
|
version: '0'
|
|
69
69
|
description: Make all cookies `secure` and `HttpOnly`.
|
|
@@ -73,7 +73,7 @@ executables: []
|
|
|
73
73
|
extensions: []
|
|
74
74
|
extra_rdoc_files: []
|
|
75
75
|
files:
|
|
76
|
-
- .gitignore
|
|
76
|
+
- ".gitignore"
|
|
77
77
|
- Gemfile
|
|
78
78
|
- LICENSE
|
|
79
79
|
- README.md
|
|
@@ -91,7 +91,8 @@ files:
|
|
|
91
91
|
- spec/spec_helper.rb
|
|
92
92
|
- spec/util_spec.rb
|
|
93
93
|
homepage: http://www.makandra.de
|
|
94
|
-
licenses:
|
|
94
|
+
licenses:
|
|
95
|
+
- MIT
|
|
95
96
|
metadata: {}
|
|
96
97
|
post_install_message:
|
|
97
98
|
rdoc_options: []
|
|
@@ -99,17 +100,16 @@ require_paths:
|
|
|
99
100
|
- lib
|
|
100
101
|
required_ruby_version: !ruby/object:Gem::Requirement
|
|
101
102
|
requirements:
|
|
102
|
-
- -
|
|
103
|
+
- - ">="
|
|
103
104
|
- !ruby/object:Gem::Version
|
|
104
105
|
version: '0'
|
|
105
106
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
106
107
|
requirements:
|
|
107
|
-
- -
|
|
108
|
+
- - ">="
|
|
108
109
|
- !ruby/object:Gem::Version
|
|
109
110
|
version: '0'
|
|
110
111
|
requirements: []
|
|
111
|
-
|
|
112
|
-
rubygems_version: 2.1.2
|
|
112
|
+
rubygems_version: 3.2.15
|
|
113
113
|
signing_key:
|
|
114
114
|
specification_version: 4
|
|
115
115
|
summary: Make all cookies `secure` and `HttpOnly`.
|