From d76c2e82328ed2a00add7bdfb528ed4393e640b7 Mon Sep 17 00:00:00 2001
From: Louise Crow <louise.crow@gmail.com>
Date: Fri, 21 Nov 2014 14:54:26 +0000
Subject: Enforce a lifetime on session cookies

Problem described in http://seclists.org/fulldisclosure/2013/Sep/145

Pattern taken from https://www.coffeepowered.net/2013/09/26/rails-session-cookies/
---
 spec/controllers/general_controller_spec.rb | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

(limited to 'spec/controllers/general_controller_spec.rb')

diff --git a/spec/controllers/general_controller_spec.rb b/spec/controllers/general_controller_spec.rb
index c0a9d57d3..4a7a0bb48 100644
--- a/spec/controllers/general_controller_spec.rb
+++ b/spec/controllers/general_controller_spec.rb
@@ -126,6 +126,35 @@ describe GeneralController, "when showing the frontpage" do
 
     end
 
+    describe 'when handling logged-in users' do
+
+        before do
+            @user = FactoryGirl.create(:user)
+            session[:user_id] = @user.id
+        end
+
+        it 'should set a time to live on a non "remember me" session' do
+            get :frontpage
+            response.body.should match @user.name
+            session[:ttl].should be_within(1).of(Time.now)
+        end
+
+        it 'should not set a time to live on a "remember me" session' do
+            session[:remember_me] = true
+            get :frontpage
+            response.body.should match @user.name
+            session[:ttl].should be_nil
+        end
+
+        it 'should end a logged-in session whose ttl has expired' do
+            session[:ttl] = Time.now - 4.hours
+            get :frontpage
+            response.should redirect_to signin_path
+            session[:user_id].should be_nil
+        end
+
+    end
+
 end
 
 
-- 
cgit v1.2.3