t/live_session_fixation.t

   1 #!/usr/bin/perl
   2
   3 use strict;
   4 use warnings;
   5
   6 use Test::More;
   7 use Data::Dumper;
   8
   9 BEGIN {
  10     eval { require Catalyst::Plugin::Session::State::Cookie; Catalyst::Plugin::Session::State::Cookie->VERSION(0.03) }
  11       or plan skip_all =>
  12       "Catalyst::Plugin::Session::State::Cookie 0.03 or higher is required for this test";
  13
  14     eval {
  15         require Test::WWW::Mechanize::Catalyst;
  16         Test::WWW::Mechanize::Catalyst->VERSION(0.51);
  17     }
  18     or plan skip_all =>
  19         'Test::WWW::Mechanize::Catalyst >= 0.51 is required for this test';
  20
  21     plan tests => 8;
  22 }
  23
  24 use lib "t/lib";
  25 use Test::WWW::Mechanize::Catalyst "SessionTestApp";
  26
  27 #try completely random cookie unknown for our application; should be rejected
  28 my $injected_cookie = "sessiontestapp_session=89c3a019866af6f5a305e10189fbb23df3f4772c";
  29
  30 my $ua1 = Test::WWW::Mechanize::Catalyst->new;
  31 $ua1->add_header('Cookie' => $injected_cookie);
  32
  33 my $res = $ua1->get( "http://localhost/login" );
  34 my $cookie1 = $res->header('Set-Cookie');
  35
  36 ok $cookie1, "Set-Cookie 1";
  37 isnt $cookie1, qr/$injected_cookie/, "Logging in generates us a new cookie";
  38
  39 $ua1->get( "http://localhost/get_sessid" );
  40 my $sid1 = $ua1->content;
  41
  42 #set session variable var1 before session id change
  43 $ua1->get( "http://localhost/set_session_variable/var1/set_before_change");
  44 $ua1->get( "http://localhost/get_session_variable/var1");
  45 $ua1->content_is("VAR_var1=set_before_change");
  46
  47 #just diagnostic dump
  48 $ua1->get( "http://localhost/dump_session" );
  49 #diag "Before-change:".$ua1->content;
  50
  51 #change session id; all session data should be kept; old session id invalidated
  52 my $res2 = $ua1->get( "http://localhost/change_sessid" );
  53 my $cookie2 = $res2->header('Set-Cookie');
  54
  55 ok $cookie2, "Set-Cookie 2";
  56 isnt $cookie2, $cookie1, "Cookie changed";
  57
  58 $ua1->get( "http://localhost/get_sessid" );
  59 my $sid2 = $ua1->content;
  60 isnt $sid2, $sid1, 'SID changed';
  61
  62 #just diagnostic dump
  63 $ua1->get( "http://localhost/dump_session" );
  64 #diag "After-change:".$ua1->content;
  65
  66 #set session variable var2 after session id change
  67 $ua1->get( "http://localhost/set_session_variable/var2/set_after_change");
  68
  69 #check if var1 and var2 contain expected values
  70 $ua1->get( "http://localhost/get_session_variable/var1");
  71 $ua1->content_is("VAR_var1=set_before_change");
  72 $ua1->get( "http://localhost/get_session_variable/var2");
  73 $ua1->content_is("VAR_var2=set_after_change");
  74
  75 #just diagnostic dump
  76 $ua1->get( "http://localhost/dump_session" );
  77 #diag "End1:".$ua1->content;
  78
  79 #try to use old cookie value (before session_id_change)
  80 my $ua2 = Test::WWW::Mechanize::Catalyst->new;
  81 $ua2->add_header('Cookie' => $cookie1);
  82
  83 #if we take old cookie we should not be able to get any old session data
  84 $ua2->get( "http://localhost/get_session_variable/var1");
  85 $ua2->content_is("VAR_var1=n.a.");
  86 $ua2->get( "http://localhost/get_session_variable/var2");
  87 $ua2->content_is("VAR_var2=n.a.");
  88
  89 #just diagnostic dump
  90 $ua2->get( "http://localhost/dump_session" );
  91 #diag "End2:".$ua2->content;