From: Tomas Doran Date: Sat, 23 May 2009 11:01:44 +0000 (+0000) Subject: No session fixation I can see here X-Git-Tag: v0.23~3 X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?p=catagits%2FCatalyst-Plugin-Session.git;a=commitdiff_plain;h=73d1f3a228a54c83d1f43feb55bbef94b146f091 No session fixation I can see here --- diff --git a/Changes b/Changes index b668166..891b2c8 100644 --- a/Changes +++ b/Changes @@ -1,5 +1,9 @@ Revision history for Perl extension Catalyst::Plugin::Session + - Add a test case to prove that logging in with a session cookie still causes + a new cookie to be issued for you, proving that the code is not vulnerable + to a session fixation attack. + 0.22 2009-05-13 - INSANE HACK to ensure B::Hooks::EndOfScope inlines us a new method right now in Catalyst::Plugin::Session::Test::Store for Catalyst 5.80004 compatibility. diff --git a/t/live_session_fixation.t b/t/live_session_fixation.t new file mode 100644 index 0000000..88c9c93 --- /dev/null +++ b/t/live_session_fixation.t @@ -0,0 +1,33 @@ +#!/usr/bin/perl + +use strict; +use warnings; + +use Test::More; + +BEGIN { + eval { require Catalyst::Plugin::Session::State::Cookie; Catalyst::Plugin::Session::State::Cookie->VERSION(0.03) } + or plan skip_all => + "Catalyst::Plugin::Session::State::Cookie 0.03 or higher is required for this test"; + + eval { require Test::WWW::Mechanize::Catalyst } + or plan skip_all => + "Test::WWW::Mechanize::Catalyst is required for this test"; + + plan tests => 2; +} + +use lib "t/lib"; +use Test::WWW::Mechanize::Catalyst "SessionTestApp"; + +my $injected_cookie = "sessiontestapp_session=89c3a019866af6f5a305e10189fbb23df3f4772c"; + +my $ua1 = Test::WWW::Mechanize::Catalyst->new; +$ua1->add_header('Cookie' => $injected_cookie); + +my $res = $ua1->get( "http://localhost/login" ); +my $cookie = $res->header('Set-Cookie'); + +ok $cookie; +isnt $cookie, qr/$injected_cookie/, 'Logging in generates us a new cookie'; +