utopia 2.5.3 → 2.5.4
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/utopia/session.rb +5 -12
- data/lib/utopia/version.rb +1 -1
- data/spec/utopia/session_spec.rb +2 -2
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 8fef52d1f6de5c2a8e44763e7f6e7b59869e8a678627b3331876c788a8d1d5c2
|
|
4
|
+
data.tar.gz: 0b89a96822bb9601711c411fd61eeaaf31821f79ec97d15653d8f6f113d0662d
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 656d6a39c064ec5078e8ef16782a013491bcb14b33f8102d4ed0db7e6205152d4bbb25ff0d58afdf328f14c41e43d7dad1234aab68ab2f8a0f483f22ee40fddb
|
|
7
|
+
data.tar.gz: fbb4f8d06aa9181fc06523b2dc0f67872400f7d868ed1f05e6f73d9a07462b6563695613258239352efdbcd83ae3ca7b04cd555eb24f39b2c956c08d3ce89eef
|
data/lib/utopia/session.rb
CHANGED
|
@@ -42,7 +42,7 @@ module Utopia
|
|
|
42
42
|
# @param secret [Array] The secret text used to generate a symetric encryption key for the coookie data.
|
|
43
43
|
# @param expires_after [String] The cache-control header to set for static content.
|
|
44
44
|
# @param options [Hash<Symbol,Object>] Additional defaults used for generating the cookie by `Rack::Utils.set_cookie_header!`.
|
|
45
|
-
def initialize(app, session_name: RACK_SESSION, secret: nil, expires_after: DEFAULT_EXPIRES_AFTER, update_timeout: DEFAULT_UPDATE_TIMEOUT, **options)
|
|
45
|
+
def initialize(app, session_name: RACK_SESSION, secret: nil, expires_after: DEFAULT_EXPIRES_AFTER, update_timeout: DEFAULT_UPDATE_TIMEOUT, secure: false, **options)
|
|
46
46
|
@app = app
|
|
47
47
|
|
|
48
48
|
@session_name = session_name
|
|
@@ -63,7 +63,7 @@ module Utopia
|
|
|
63
63
|
domain: nil,
|
|
64
64
|
path: "/",
|
|
65
65
|
# The Secure attribute is meant to keep cookie communication limited to encrypted transmission, directing browsers to use cookies only via secure/encrypted connections. However, if a web server sets a cookie with a secure attribute from a non-secure connection, the cookie can still be intercepted when it is sent to the user by man-in-the-middle attacks. Therefore, for maximum security, cookies with the Secure attribute should only be set over a secure connection.
|
|
66
|
-
secure:
|
|
66
|
+
secure: secure,
|
|
67
67
|
# The HttpOnly attribute directs browsers not to expose cookies through channels other than HTTP (and HTTPS) requests. This means that the cookie cannot be accessed via client-side scripting languages (notably JavaScript), and therefore cannot be stolen easily via cross-site scripting (a pervasive attack technique).
|
|
68
68
|
http_only: true,
|
|
69
69
|
}.merge(options)
|
|
@@ -122,8 +122,7 @@ module Utopia
|
|
|
122
122
|
# Constructs a valid session for the given request. These fields must match as per the checks performed in `valid_session?`:
|
|
123
123
|
def build_initial_session(request)
|
|
124
124
|
{
|
|
125
|
-
|
|
126
|
-
request_user_agent: request.user_agent,
|
|
125
|
+
user_agent: request.user_agent,
|
|
127
126
|
created_at: Time.now.utc,
|
|
128
127
|
updated_at: Time.now.utc,
|
|
129
128
|
}
|
|
@@ -146,14 +145,8 @@ module Utopia
|
|
|
146
145
|
end
|
|
147
146
|
|
|
148
147
|
def valid_session?(request, values)
|
|
149
|
-
if values[:
|
|
150
|
-
warn "Invalid session because #{values[:
|
|
151
|
-
|
|
152
|
-
return false
|
|
153
|
-
end
|
|
154
|
-
|
|
155
|
-
if values[:request_user_agent] != request.user_agent
|
|
156
|
-
warn "Invalid session because #{values[:request_user_agent]} doesn't match #{request.user_agent}!"
|
|
148
|
+
if values[:user_agent] != request.user_agent
|
|
149
|
+
warn "Invalid session because #{values[:user_agent]} doesn't match #{request.user_agent}!" if $VERBOSE
|
|
157
150
|
|
|
158
151
|
return false
|
|
159
152
|
end
|
data/lib/utopia/version.rb
CHANGED
data/spec/utopia/session_spec.rb
CHANGED
|
@@ -103,12 +103,12 @@ module Utopia::SessionSpec
|
|
|
103
103
|
expect(last_response.body).to be == ""
|
|
104
104
|
end
|
|
105
105
|
|
|
106
|
-
it "
|
|
106
|
+
it "shouldn't fail if ip address is changed" do
|
|
107
107
|
# Change user agent:
|
|
108
108
|
header 'X-Forwarded-For', '127.0.0.10'
|
|
109
109
|
|
|
110
110
|
get "/session-get?key=foo"
|
|
111
|
-
expect(last_response.body).to be == ""
|
|
111
|
+
expect(last_response.body).to be == "bar"
|
|
112
112
|
end
|
|
113
113
|
end
|
|
114
114
|
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: utopia
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.5.
|
|
4
|
+
version: 2.5.4
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Samuel Williams
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2018-
|
|
11
|
+
date: 2018-11-05 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: trenni
|