From: KMX <kmx@cpan.org>
Date: Tue, 2 Jun 2009 12:41:20 +0000 (+0000)
Subject: C::Plugin::Session - branche for verify_user_agent option
X-Git-Tag: v0.23~1^2
X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?a=commitdiff_plain;h=06c621b50a455c2ab40ecadac70c0c02e2adb9cc;p=catagits%2FCatalyst-Plugin-Session.git

C::Plugin::Session - branche for verify_user_agent option
---

diff --git a/lib/Catalyst/Plugin/Session.pm b/lib/Catalyst/Plugin/Session.pm
index b038778..4fdb4f2 100644
--- a/lib/Catalyst/Plugin/Session.pm
+++ b/lib/Catalyst/Plugin/Session.pm
@@ -70,6 +70,7 @@ sub setup_session {
     %$cfg = (
         expires        => 7200,
         verify_address => 0,
+        verify_user_agent => 0,
         %$cfg,
     );
 
@@ -225,6 +226,17 @@ sub _load_session {
                 $c->delete_session("address mismatch");
                 return;
             }
+            if (   $c->config->{session}{verify_user_agent}
+                && $session_data->{__user_agent} ne $c->request->user_agent )
+            {
+                $c->log->warn(
+                        "Deleting session $sid due to user agent mismatch ("
+                      . $session_data->{__user_agent} . " != "
+                      . $c->request->user_agent . ")"
+                );
+                $c->delete_session("user agent mismatch");
+                return;
+            }
 
             $c->log->debug(qq/Restored session "$sid"/) if $c->debug;
             $c->_session_data_sig( Object::Signature::signature($session_data) ) if $session_data;
@@ -454,6 +466,11 @@ sub initialize_session_data {
                 ? ( __address => $c->request->address )
                 : ()
             ),
+            (
+                $c->config->{session}{verify_user_agent}
+                ? ( __user_agent => $c->request->user_agent )
+                : ()
+            ),
         }
     );
 }
@@ -915,6 +932,14 @@ not the same as the address that initiated the session, the session is deleted.
 
 Defaults to false.
 
+=item verify_user_agent
+
+When true, C<<$c->request->user_agent>> will be checked at prepare time. If it
+is not the same as the user agent that initiated the session, the session is 
+deleted.
+
+Defaults to false.
+
 =item flash_to_stash
 
 This option makes it easier to have actions behave the same whether they were
@@ -947,6 +972,11 @@ The time when the session was first created.
 The value of C<< $c->request->address >> at the time the session was created.
 This value is only populated if C<verify_address> is true in the configuration.
 
+=item __user_agent
+
+The value of C<< $c->request->user_agent>> at the time the session was created.
+This value is only populated if C<verify_user_agent> is true in the configuration.
+
 =back
 
 =head1 CAVEATS
diff --git a/t/01_setup.t b/t/01_setup.t
index f23ffa5..7116db2 100644
--- a/t/01_setup.t
+++ b/t/01_setup.t
@@ -63,7 +63,7 @@ ok( !$log->called("fatal"), "no fatal error logged either" );
 
 cmp_deeply(
     [ keys %{ $config{session} } ],
-    bag(qw/expires verify_address/),
+    bag(qw/expires verify_address verify_user_agent/),
     "default values for config were populated in successful setup",
 );
 
diff --git a/t/lib/SessionTestApp.pm b/t/lib/SessionTestApp.pm
index cdd181a..c7258d9 100644
--- a/t/lib/SessionTestApp.pm
+++ b/t/lib/SessionTestApp.pm
@@ -6,6 +6,11 @@ use Catalyst qw/Session Session::Store::Dummy Session::State::Cookie/;
 use strict;
 use warnings;
 
+__PACKAGE__->config->{session} = {
+    # needed for live_verify_user_agent.t; should be harmless for other tests 
+    verify_user_agent => 1,  
+};
+
 sub login : Global {
     my ( $self, $c ) = @_;
     $c->session;
@@ -30,6 +35,11 @@ sub page : Global {
     }
 }
 
+sub user_agent : Global {
+    my ( $self, $c ) = @_;
+    $c->res->output('UA=' . $c->req->user_agent);
+}
+
 __PACKAGE__->setup;
 
 __PACKAGE__;
diff --git a/t/live_verify_user_agent.t b/t/live_verify_user_agent.t
new file mode 100644
index 0000000..04b1fa5
--- /dev/null
+++ b/t/live_verify_user_agent.t
@@ -0,0 +1,41 @@
+#!/usr/bin/perl
+
+use strict;
+use warnings;
+
+use Test::More;
+
+BEGIN {
+    eval { require Catalyst::Plugin::Session::State::Cookie; Catalyst::Plugin::Session::State::Cookie->VERSION(0.03) }
+      or plan skip_all =>
+      "Catalyst::Plugin::Session::State::Cookie 0.03 or higher is required for this test";
+
+    eval { require Test::WWW::Mechanize::Catalyst }
+      or plan skip_all =>
+      "Test::WWW::Mechanize::Catalyst is required for this test";
+
+    plan tests => 12;
+}
+
+use lib "t/lib";
+use Test::WWW::Mechanize::Catalyst "SessionTestApp";
+
+my $ua = Test::WWW::Mechanize::Catalyst->new( { agent => 'Initial user_agent'} );
+$ua->get_ok( "http://localhost/user_agent", "get initial user_agent" );
+$ua->content_contains( "UA=Initial user_agent", "test initial user_agent" );
+
+$ua->get_ok( "http://localhost/page", "initial get main page" );
+$ua->content_contains( "please login", "ua not logged in" );
+
+$ua->get_ok( "http://localhost/login", "log ua in" );
+$ua->content_contains( "logged in", "ua logged in" );
+
+$ua->get_ok( "http://localhost/page", "get main page" );
+$ua->content_contains( "you are logged in", "ua logged in" );
+
+$ua->agent('Changed user_agent');
+$ua->get_ok( "http://localhost/user_agent", "get changed user_agent" );
+$ua->content_contains( "UA=Changed user_agent", "test changed user_agent" );
+
+$ua->get_ok( "http://localhost/page", "test deleted session" );
+$ua->content_contains( "please login", "ua not logged in" );