aboutsummaryrefslogtreecommitdiffstats
path: root/spec/controllers/general_controller_spec.rb
diff options
context:
space:
mode:
authorLouise Crow <louise.crow@gmail.com>2014-11-21 14:54:26 +0000
committerLouise Crow <louise.crow@gmail.com>2014-12-12 17:53:34 +0000
commitd76c2e82328ed2a00add7bdfb528ed4393e640b7 (patch)
treec00101292ac9e819138908d339913006d0682699 /spec/controllers/general_controller_spec.rb
parentaf2e8aa9e6e978f1b6cd37a92b492e8a89e2ee4d (diff)
Enforce a lifetime on session cookies
Problem described in http://seclists.org/fulldisclosure/2013/Sep/145 Pattern taken from https://www.coffeepowered.net/2013/09/26/rails-session-cookies/
Diffstat (limited to 'spec/controllers/general_controller_spec.rb')
-rw-r--r--spec/controllers/general_controller_spec.rb29
1 files changed, 29 insertions, 0 deletions
diff --git a/spec/controllers/general_controller_spec.rb b/spec/controllers/general_controller_spec.rb
index c0a9d57d3..4a7a0bb48 100644
--- a/spec/controllers/general_controller_spec.rb
+++ b/spec/controllers/general_controller_spec.rb
@@ -126,6 +126,35 @@ describe GeneralController, "when showing the frontpage" do
end
+ describe 'when handling logged-in users' do
+
+ before do
+ @user = FactoryGirl.create(:user)
+ session[:user_id] = @user.id
+ end
+
+ it 'should set a time to live on a non "remember me" session' do
+ get :frontpage
+ response.body.should match @user.name
+ session[:ttl].should be_within(1).of(Time.now)
+ end
+
+ it 'should not set a time to live on a "remember me" session' do
+ session[:remember_me] = true
+ get :frontpage
+ response.body.should match @user.name
+ session[:ttl].should be_nil
+ end
+
+ it 'should end a logged-in session whose ttl has expired' do
+ session[:ttl] = Time.now - 4.hours
+ get :frontpage
+ response.should redirect_to signin_path
+ session[:user_id].should be_nil
+ end
+
+ end
+
end
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-22 06:01:32 +0000