This repository has been archived by the owner on Jan 5, 2019. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #231 from ualbertalib/session_invalidation
add tests for owasp requirement to invalidate cookie on logout and timeout
- Loading branch information
Showing
6 changed files
with
47 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
require 'spec_helper' | ||
|
||
describe 'session', :type => :feature do | ||
let(:user) { FactoryGirl.create :user } | ||
|
||
it 'should assign new session after login' do | ||
visit '/' | ||
fill_in "search-field-header", with: "Toothbrush" | ||
click_button "Search ERA" | ||
session = get_me_the_cookie('_session_id')[:value] | ||
sign_in user | ||
expect(session).to_not eq(get_me_the_cookie('_session_id')[:value]) | ||
end | ||
|
||
it { expect(user.timedout?(30.minutes.ago)).to be_truthy } | ||
it { expect(user.timedout?(29.minutes.ago)).to be_falsey } | ||
|
||
describe 'expire cookie with logout' do | ||
before do | ||
sign_in user | ||
@session = get_me_the_cookie('_session_id') | ||
logout | ||
visit '/' | ||
end | ||
|
||
it 'should assign new session after logout' do | ||
expect(@session[:value]).to_not eq(get_me_the_cookie('_session_id')[:value]) | ||
end | ||
|
||
it 'should invalidate old session' do | ||
create_cookie('_session_id', @session) #spoof old cookie | ||
visit '/dashboard' | ||
expect(page).to have_content 'You need to sign in or sign up before continuing.' | ||
expect(@session[:value]).to_not eq(get_me_the_cookie('_session_id')[:value]) | ||
end | ||
end | ||
|
||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters