From: KMX Date: Tue, 7 Jul 2009 20:36:10 +0000 (+0000) Subject: C::P::Session - branche session_fixation: more sophisticated tests for session_fixation X-Git-Tag: v0.25~2 X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?p=catagits%2FCatalyst-Plugin-Session.git;a=commitdiff_plain;h=e108bc2cd28a34edac2e84ca3c4819cf80a0d452 C::P::Session - branche session_fixation: more sophisticated tests for session_fixation --- diff --git a/t/lib/SessionTestApp.pm b/t/lib/SessionTestApp.pm index c7258d9..406b672 100644 --- a/t/lib/SessionTestApp.pm +++ b/t/lib/SessionTestApp.pm @@ -6,6 +6,8 @@ use Catalyst qw/Session Session::Store::Dummy Session::State::Cookie/; use strict; use warnings; +use Data::Dumper; + __PACKAGE__->config->{session} = { # needed for live_verify_user_agent.t; should be harmless for other tests verify_user_agent => 1, @@ -24,6 +26,38 @@ sub logout : Global { $c->delete_session("logout"); } +sub set_session_variable : Global { + my ( $self, $c, $var, $val ) = @_; + $c->session->{$var} = $val; + $c->res->output("session variable set"); +} + +sub get_session_variable : Global { + my ( $self, $c, $var ) = @_; + my $val = $c->session->{$var} || 'n.a.'; + $c->res->output("VAR_$var=$val"); +} + +sub get_sessid : Global { + my ( $self, $c ) = @_; + my $sid = $c->sessionid || 'n.a.'; + $c->res->output("SID=$sid"); +} + +sub dump_session : Global { + my ( $self, $c ) = @_; + my $sid = $c->sessionid || 'n.a.'; + my $dump = Dumper($c->session || 'n.a.'); + $c->res->output("[SID=$sid]\n$dump"); +} + +sub change_sessid : Global { + my ( $self, $c ) = @_; + #$c->change_session_id; + $c->create_session_id; + $c->res->output("session id changed"); +} + sub page : Global { my ( $self, $c ) = @_; if ( $c->session_is_valid ) { diff --git a/t/live_session_fixation.t b/t/live_session_fixation.t index 37c4abc..fef7873 100644 --- a/t/live_session_fixation.t +++ b/t/live_session_fixation.t @@ -4,6 +4,7 @@ use strict; use warnings; use Test::More; +use Data::Dumper; BEGIN { eval { require Catalyst::Plugin::Session::State::Cookie; Catalyst::Plugin::Session::State::Cookie->VERSION(0.03) } @@ -17,20 +18,74 @@ BEGIN { or plan skip_all => 'Test::WWW::Mechanize::Catalyst >= 0.51 is required for this test'; - plan tests => 2; + plan tests => 8; } use lib "t/lib"; use Test::WWW::Mechanize::Catalyst "SessionTestApp"; +#try completely random cookie unknown for our application; should be rejected my $injected_cookie = "sessiontestapp_session=89c3a019866af6f5a305e10189fbb23df3f4772c"; my $ua1 = Test::WWW::Mechanize::Catalyst->new; $ua1->add_header('Cookie' => $injected_cookie); my $res = $ua1->get( "http://localhost/login" ); -my $cookie = $res->header('Set-Cookie'); +my $cookie1 = $res->header('Set-Cookie'); -ok $cookie; -isnt $cookie, qr/$injected_cookie/, 'Logging in generates us a new cookie'; +ok $cookie1, "Set-Cookie 1"; +isnt $cookie1, qr/$injected_cookie/, "Logging in generates us a new cookie"; +$ua1->get( "http://localhost/get_sessid" ); +my $sid1 = $ua1->content; + +#set session variable var1 before session id change +$ua1->get( "http://localhost/set_session_variable/var1/set_before_change"); +$ua1->get( "http://localhost/get_session_variable/var1"); +$ua1->content_is("VAR_var1=set_before_change"); + +#just diagnostic dump +$ua1->get( "http://localhost/dump_session" ); +#diag "Before-change:".$ua1->content; + +#change session id; all session data should be kept; old session id invalidated +my $res2 = $ua1->get( "http://localhost/change_sessid" ); +my $cookie2 = $res2->header('Set-Cookie'); + +ok $cookie2, "Set-Cookie 2"; +isnt $cookie2, $cookie1, "Cookie changed"; + +$ua1->get( "http://localhost/get_sessid" ); +my $sid2 = $ua1->content; +isnt $sid2, $sid1, 'SID changed'; + +#just diagnostic dump +$ua1->get( "http://localhost/dump_session" ); +#diag "After-change:".$ua1->content; + +#set session variable var2 after session id change +$ua1->get( "http://localhost/set_session_variable/var2/set_after_change"); + +#check if var1 and var2 contain expected values +$ua1->get( "http://localhost/get_session_variable/var1"); +$ua1->content_is("VAR_var1=set_before_change"); +$ua1->get( "http://localhost/get_session_variable/var2"); +$ua1->content_is("VAR_var2=set_after_change"); + +#just diagnostic dump +$ua1->get( "http://localhost/dump_session" ); +#diag "End1:".$ua1->content; + +#try to use old cookie value (before session_id_change) +my $ua2 = Test::WWW::Mechanize::Catalyst->new; +$ua2->add_header('Cookie' => $cookie1); + +#if we take old cookie we should not be able to get any old session data +$ua2->get( "http://localhost/get_session_variable/var1"); +$ua2->content_is("VAR_var1=n.a."); +$ua2->get( "http://localhost/get_session_variable/var2"); +$ua2->content_is("VAR_var2=n.a."); + +#just diagnostic dump +$ua2->get( "http://localhost/dump_session" ); +#diag "End2:".$ua2->content;