Merge pull request #231 from ualbertalib/session_invalidation

add tests for owasp requirement to invalidate cookie on logout and timeout
ualbertalib · Apr 29, 2015 · d6a7ed7 · d6a7ed7
2 parents bd0eb81 + 6ab8346
commit d6a7ed7
Show file tree

Hide file tree

Showing 6 changed files with 47 additions and 3 deletions.
diff --git a/Gemfile b/Gemfile
@@ -69,4 +69,5 @@ group :development, :test do
   gem "factory_girl_rails"
   gem "database_cleaner"
   gem "capybara-select2", github: "goodwill/capybara-select2"
+  gem "show_me_the_cookies"
 end
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -466,6 +466,8 @@ GEM
       multi_json (~> 1.0)
       rubyzip (~> 1.0)
       websocket (~> 1.0)
+    show_me_the_cookies (2.6.0)
+      capybara (~> 2.0)
     signet (0.6.0)
       addressable (~> 2.3)
       extlib (~> 0.9)
@@ -609,6 +611,7 @@ DEPENDENCIES
   sass-rails (~> 4.0.2)
   sdoc
   selenium-webdriver
+  show_me_the_cookies
   sufia (~> 6.0.0)
   turbolinks
   uglifier (>= 1.3.0)
diff --git a/app/models/user.rb b/app/models/user.rb
@@ -9,10 +9,10 @@ class User < ActiveRecord::Base
 # Connects this user object to Blacklights Bookmarks. 
   include Blacklight::User
   # Include default devise modules. Others available are:
-  # :confirmable, :lockable, :timeoutable and :omniauthable
+  # :omniauthable
   devise :database_authenticatable, :registerable,
          :recoverable, :rememberable, :trackable, :validatable, 
-         :confirmable, :lockable
+         :confirmable, :lockable, :timeoutable
 
   # Method added by Blacklight; Blacklight uses #to_s on your
   # user class to get a user-displayable login/identifier for

diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
@@ -150,7 +150,7 @@
   # ==> Configuration for :timeoutable
   # The time you want to timeout the user session without activity. After this
   # time the user will be asked for credentials again. Default is 30 minutes.
-  # config.timeout_in = 30.minutes
+  config.timeout_in = 30.minutes
 
   # If true, expires auth token on session timeout.
   # config.expire_auth_token_on_timeout = false

diff --git a/spec/features/session_spec.rb b/spec/features/session_spec.rb
@@ -0,0 +1,38 @@
+require 'spec_helper'
+
+describe 'session', :type => :feature do
+  let(:user) { FactoryGirl.create :user }
+
+  it 'should assign new session after login' do
+    visit '/'
+    fill_in "search-field-header", with: "Toothbrush"
+    click_button "Search ERA"
+    session = get_me_the_cookie('_session_id')[:value]
+    sign_in user
+    expect(session).to_not eq(get_me_the_cookie('_session_id')[:value])
+  end
+
+  it { expect(user.timedout?(30.minutes.ago)).to be_truthy }
+  it { expect(user.timedout?(29.minutes.ago)).to be_falsey }
+
+  describe 'expire cookie with logout' do
+    before do
+      sign_in user
+      @session = get_me_the_cookie('_session_id')
+      logout
+      visit '/'
+    end
+
+    it 'should assign new session after logout' do
+      expect(@session[:value]).to_not eq(get_me_the_cookie('_session_id')[:value])
+    end
+
+    it 'should invalidate old session' do
+      create_cookie('_session_id', @session) #spoof old cookie
+      visit '/dashboard'
+      expect(page).to have_content 'You need to sign in or sign up before continuing.'
+      expect(@session[:value]).to_not eq(get_me_the_cookie('_session_id')[:value])
+    end
+  end
+
+end
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
@@ -50,6 +50,8 @@
 
   config.fixture_path = File.expand_path("../fixtures", __FILE__)
 
+  config.include ShowMeTheCookies, :type => :feature
+
 # The settings below are suggested to provide a good initial experience
 # with RSpec, but feel free to customize to your heart's content.
 =begin