%$cfg = (
expires => 7200,
verify_address => 0,
+ verify_user_agent => 0,
%$cfg,
);
$c->delete_session("address mismatch");
return;
}
+ if ( $c->config->{session}{verify_user_agent}
+ && $session_data->{__user_agent} ne $c->request->user_agent )
+ {
+ $c->log->warn(
+ "Deleting session $sid due to user agent mismatch ("
+ . $session_data->{__user_agent} . " != "
+ . $c->request->user_agent . ")"
+ );
+ $c->delete_session("user agent mismatch");
+ return;
+ }
$c->log->debug(qq/Restored session "$sid"/) if $c->debug;
$c->_session_data_sig( Object::Signature::signature($session_data) ) if $session_data;
? ( __address => $c->request->address )
: ()
),
+ (
+ $c->config->{session}{verify_user_agent}
+ ? ( __user_agent => $c->request->user_agent )
+ : ()
+ ),
}
);
}
Defaults to false.
+=item verify_user_agent
+
+When true, C<<$c->request->user_agent>> will be checked at prepare time. If it
+is not the same as the user agent that initiated the session, the session is
+deleted.
+
+Defaults to false.
+
=item flash_to_stash
This option makes it easier to have actions behave the same whether they were
The value of C<< $c->request->address >> at the time the session was created.
This value is only populated if C<verify_address> is true in the configuration.
+=item __user_agent
+
+The value of C<< $c->request->user_agent>> at the time the session was created.
+This value is only populated if C<verify_user_agent> is true in the configuration.
+
=back
=head1 CAVEATS
cmp_deeply(
[ keys %{ $config{session} } ],
- bag(qw/expires verify_address/),
+ bag(qw/expires verify_address verify_user_agent/),
"default values for config were populated in successful setup",
);
use strict;
use warnings;
+__PACKAGE__->config->{session} = {
+ # needed for live_verify_user_agent.t; should be harmless for other tests
+ verify_user_agent => 1,
+};
+
sub login : Global {
my ( $self, $c ) = @_;
$c->session;
}
}
+sub user_agent : Global {
+ my ( $self, $c ) = @_;
+ $c->res->output('UA=' . $c->req->user_agent);
+}
+
__PACKAGE__->setup;
__PACKAGE__;
--- /dev/null
+#!/usr/bin/perl
+
+use strict;
+use warnings;
+
+use Test::More;
+
+BEGIN {
+ eval { require Catalyst::Plugin::Session::State::Cookie; Catalyst::Plugin::Session::State::Cookie->VERSION(0.03) }
+ or plan skip_all =>
+ "Catalyst::Plugin::Session::State::Cookie 0.03 or higher is required for this test";
+
+ eval { require Test::WWW::Mechanize::Catalyst }
+ or plan skip_all =>
+ "Test::WWW::Mechanize::Catalyst is required for this test";
+
+ plan tests => 12;
+}
+
+use lib "t/lib";
+use Test::WWW::Mechanize::Catalyst "SessionTestApp";
+
+my $ua = Test::WWW::Mechanize::Catalyst->new( { agent => 'Initial user_agent'} );
+$ua->get_ok( "http://localhost/user_agent", "get initial user_agent" );
+$ua->content_contains( "UA=Initial user_agent", "test initial user_agent" );
+
+$ua->get_ok( "http://localhost/page", "initial get main page" );
+$ua->content_contains( "please login", "ua not logged in" );
+
+$ua->get_ok( "http://localhost/login", "log ua in" );
+$ua->content_contains( "logged in", "ua logged in" );
+
+$ua->get_ok( "http://localhost/page", "get main page" );
+$ua->content_contains( "you are logged in", "ua logged in" );
+
+$ua->agent('Changed user_agent');
+$ua->get_ok( "http://localhost/user_agent", "get changed user_agent" );
+$ua->content_contains( "UA=Changed user_agent", "test changed user_agent" );
+
+$ua->get_ok( "http://localhost/page", "test deleted session" );
+$ua->content_contains( "please login", "ua not logged in" );