1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
|
require 'spec_helper'
describe WhatDoTheyKnow::StripEmptySessions do
def make_response(session_data, response_headers)
app = lambda do |env|
env['rack.session'] = session_data
return [200, response_headers, ['content']]
end
strip_empty_sessions = WhatDoTheyKnow::StripEmptySessions
app = strip_empty_sessions.new(app, {:key => 'mykey', :path => '', :httponly => true})
response = Rack::MockRequest.new(app).get('/', 'HTTP_ACCEPT' => 'text/html')
end
it 'should not prevent a cookie being set if there is data in the session' do
session_data = { :some_real_data => 'important',
:session_id => 'my_session_id',
:_csrf_token => 'hi_there' }
application_response_headers = { 'Content-Type' => 'text/html',
'Set-Cookie' => 'mykey=f274c61a35320c52d45e9f8d7d4e2649; path=/; HttpOnly'}
response = make_response(session_data, application_response_headers)
response.headers['Set-Cookie'].should == 'mykey=f274c61a35320c52d45e9f8d7d4e2649; path=/; HttpOnly'
end
describe 'if there is no meaningful data in the session' do
before do
@session_data = { :session_id => 'my_session_id',
:_csrf_token => 'hi_there' }
end
it 'should not strip any other header' do
application_response_headers = { 'Content-Type' => 'text/html',
'Set-Cookie' => 'mykey=f274c61a35320c52d45e9f8d7d4e2649; path=/; HttpOnly'}
response = make_response(@session_data, application_response_headers)
response.headers['Content-Type'].should == 'text/html'
end
it 'should strip the session cookie setting header ' do
application_response_headers = { 'Content-Type' => 'text/html',
'Set-Cookie' => 'mykey=f274c61a35320c52d45e9f8d7d4e2649; path=/; HttpOnly'}
response = make_response(@session_data, application_response_headers)
response.headers['Set-Cookie'].should == ""
end
it 'should strip the session cookie setting header even with a locale' do
@session_data[:locale] = 'en'
application_response_headers = { 'Content-Type' => 'text/html',
'Set-Cookie' => 'mykey=f274c61a35320c52d45e9f8d7d4e2649; path=/; HttpOnly'}
response = make_response(@session_data, application_response_headers)
response.headers['Set-Cookie'].should == ""
end
it 'should not strip the session cookie setting for admins' do
@session_data[:using_admin] = 1
application_response_headers = { 'Content-Type' => 'text/html',
'Set-Cookie' => 'mykey=f274c61a35320c52d45e9f8d7d4e2649; path=/; HttpOnly'}
response = make_response(@session_data, application_response_headers)
response.headers['Set-Cookie'].should == "mykey=f274c61a35320c52d45e9f8d7d4e2649; path=/; HttpOnly"
end
it 'should strip the session cookie setting header (but no other cookie setting header) if there is more than one' do
application_response_headers = { 'Content-Type' => 'text/html',
'Set-Cookie' => ['mykey=f274c61a35320c52d45e9f8d7d4e2649; path=/; HttpOnly',
'other=mydata']}
response = make_response(@session_data, application_response_headers)
response.headers['Set-Cookie'].should == ['other=mydata']
end
end
end
|
