No session fixation I can see here

diff --git a/Changes b/Changes
index b668166..891b2c8 100644 (file)
--- a/Changes
+++ b/Changes
@@ -1,5 +1,9 @@
 Revision history for Perl extension Catalyst::Plugin::Session
 
+        - Add a test case to prove that logging in with a session cookie still causes
+          a new cookie to be issued for you, proving that the code is not vulnerable
+          to a session fixation attack.
+
 0.22 2009-05-13
         - INSANE HACK to ensure B::Hooks::EndOfScope inlines us a new method right now
           in Catalyst::Plugin::Session::Test::Store for Catalyst 5.80004 compatibility. 

diff --git a/t/live_session_fixation.t b/t/live_session_fixation.t
new file mode 100644 (file)
index 0000000..88c9c93
--- /dev/null
+++ b/t/live_session_fixation.t
@@ -0,0 +1,33 @@
+#!/usr/bin/perl
+
+use strict;
+use warnings;
+
+use Test::More;
+
+BEGIN {
+    eval { require Catalyst::Plugin::Session::State::Cookie; Catalyst::Plugin::Session::State::Cookie->VERSION(0.03) }
+      or plan skip_all =>
+      "Catalyst::Plugin::Session::State::Cookie 0.03 or higher is required for this test";
+
+    eval { require Test::WWW::Mechanize::Catalyst }
+      or plan skip_all =>
+      "Test::WWW::Mechanize::Catalyst is required for this test";
+
+    plan tests => 2;
+}
+
+use lib "t/lib";
+use Test::WWW::Mechanize::Catalyst "SessionTestApp";
+
+my $injected_cookie = "sessiontestapp_session=89c3a019866af6f5a305e10189fbb23df3f4772c";
+
+my $ua1 = Test::WWW::Mechanize::Catalyst->new;
+$ua1->add_header('Cookie' => $injected_cookie);
+
+my $res = $ua1->get( "http://localhost/login" );
+my $cookie = $res->header('Set-Cookie');
+
+ok $cookie;
+isnt $cookie, qr/$injected_cookie/, 'Logging in generates us a new cookie';
+