Rails/RSpec:reset_session 在集成测试期间不会更改 Set-Cookie HTTP 标头值
我正在编写一个集成测试,以确保我的网络应用程序不易受到会话固定的影响。
我已经手动验证了 reset_session 实际上在身份验证逻辑中触发,并且当我使用网络浏览器登录时,cookie 确实发生了变化(因此,我不再容易受到会话固定的影响) ,但我无法让我的 RSpec 集成测试成功验证这一点。
这是我的 RSpec 集成测试。
require 'spec_helper'
describe "security" do
self.use_transactional_fixtures = false
append_after(:each) do
ALL_MODELS.each &:delete_all
end
describe "session fixation" do
it "should change the cookie session id after logging in" do
u = test_user :active_user => true,
:username => "[email protected]",
:password => "asdfasdf"
u.save!
https!
get_via_redirect "/login"
assert_response :success
cookie = response.header["Set-Cookie"].split(";").select{|x| x.match(/_session/)}[0].split("=")[1].strip
post_via_redirect "/login", "user[email]" => "[email protected]",
"user[password]" => "asdfasdf",
"user[remember_me]" => "1"
assert_response :success
path.should eql("/dashboard")
cookie.should_not eql(response.header["Set-Cookie"].split(";").select{|x| x.match(/_session/)}[0].split("=")[1].strip)
end
end
end
除了最后一个断言之外,一切都有效。 cookie 不会改变。
RSpec/Rails 集成测试是否存在任何已知问题,其中 reset_session 无法按预期工作?我可以做什么来编写一个测试来验证会话固定不是问题?
I'm writing an integration test to make sure my webapp isn't vulnerable to session fixation.
I have manually verified that reset_session is actually firing in the authentication logic, and further that the cookie does indeed change when I log in with my web browser (so, I'm not vulnerable to session fixation anymore), but I can't get my RSpec integration test to successfully verify this.
Here is my RSpec integration test.
require 'spec_helper'
describe "security" do
self.use_transactional_fixtures = false
append_after(:each) do
ALL_MODELS.each &:delete_all
end
describe "session fixation" do
it "should change the cookie session id after logging in" do
u = test_user :active_user => true,
:username => "[email protected]",
:password => "asdfasdf"
u.save!
https!
get_via_redirect "/login"
assert_response :success
cookie = response.header["Set-Cookie"].split(";").select{|x| x.match(/_session/)}[0].split("=")[1].strip
post_via_redirect "/login", "user[email]" => "[email protected]",
"user[password]" => "asdfasdf",
"user[remember_me]" => "1"
assert_response :success
path.should eql("/dashboard")
cookie.should_not eql(response.header["Set-Cookie"].split(";").select{|x| x.match(/_session/)}[0].split("=")[1].strip)
end
end
end
Everything works except for the very last assert. The cookie doesn't change.
Are there any known issues with RSpec/Rails integration tests where reset_session doesn't work as expected? What can I do to write a test that verifies session fixation is not an issue?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
所以我最终确实弄清楚了这一点。
我试图直接编辑响应标头来测试 cookie,但我想这不是最好的方法。
无论如何,在 Rails 2.x 的集成测试中,您可以使用 cookies 哈希。测试结果如下:
So I eventually did end up figuring this out.
I was trying to edit the response header directly to test cookies, but I guess that's not the blessed way.
In integration tests with Rails 2.x anyway, there's a cookies hash that you can use. Here's what the test ended up looking like: