File: session_hijacking_spec.rb

package info (click to toggle)
ruby-rack-protection 1.5.2-1
  • links: PTS, VCS
  • area: main
  • in suites: jessie, jessie-kfreebsd
  • size: 216 kB
  • ctags: 99
  • sloc: ruby: 1,021; makefile: 2
file content (55 lines) | stat: -rw-r--r-- 2,089 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
 
require File.expand_path('../spec_helper.rb', __FILE__)

describe Rack::Protection::SessionHijacking do
  it_behaves_like "any rack application"

  it "accepts a session without changes to tracked parameters" do
    session = {:foo => :bar}
    get '/', {}, 'rack.session' => session
    get '/', {}, 'rack.session' => session
    session[:foo].should == :bar
  end

  it "denies requests with a changing User-Agent header" do
    session = {:foo => :bar}
    get '/', {}, 'rack.session' => session, 'HTTP_USER_AGENT' => 'a'
    get '/', {}, 'rack.session' => session, 'HTTP_USER_AGENT' => 'b'
    session.should be_empty
  end

  it "accepts requests with a changing Accept-Encoding header" do
    # this is tested because previously it led to clearing the session
    session = {:foo => :bar}
    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_ENCODING' => 'a'
    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_ENCODING' => 'b'
    session.should_not be_empty
  end

  it "denies requests with a changing Accept-Language header" do
    session = {:foo => :bar}
    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'a'
    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'b'
    session.should be_empty
  end

  it "accepts requests with the same Accept-Language header" do
    session = {:foo => :bar}
    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'a'
    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'a'
    session.should_not be_empty
  end

  it "comparison of Accept-Language header is not case sensitive" do
    session = {:foo => :bar}
    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'a'
    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'A'
    session.should_not be_empty
  end

  it "accepts requests with a changing Version header"do
    session = {:foo => :bar}
    get '/', {}, 'rack.session' => session, 'HTTP_VERSION' => '1.0'
    get '/', {}, 'rack.session' => session, 'HTTP_VERSION' => '1.1'
    session[:foo].should == :bar
  end
end