make the "remember me" cookie httponly, fixes #3763

Change-Id: I1d7a0eab74c23dbdb4dfdca186b73009dc6aeb6d Reviewed-on: https://gerrit.instructure.com/2230 Tested-by: Hudson <hudson@instructure.com> Reviewed-by: Brian Palmer <brianp@instructure.com>
2011-02-09 15:10:35 -07:00 · 2011-02-09 15:10:35 -07:00 · e693c6ebba
parent 520fb21130
commit e693c6ebba
2 changed files with 35 additions and 0 deletions
--- a/config/initializers/auth_logic_httponly.rb
+++ b/config/initializers/auth_logic_httponly.rb
@ -0,0 +1,15 @@
+# authlogic doesn't support httponly (or secure-only) for the "remember me"
+# cookie yet, so we get to monkey patch. there's an open pull request still
+# pending:
+# https://github.com/binarylogic/authlogic/issues/issue/210
+
+module Authlogic::Session::Cookies::InstanceMethods
+  def save_cookie
+    controller.cookies[cookie_key] = {
+      :value => "#{record.persistence_token}::#{record.send(record.class.primary_key)}",
+      :expires => remember_me_until,
+      :domain => controller.cookie_domain,
+      :httponly => true,
+    }
+  end
+end
--- a/spec/integration/security_spec.rb
+++ b/spec/integration/security_spec.rb
@ -85,4 +85,24 @@ describe "security" do
      RoleOverride.send(:class_variable_get, '@@role_override_chain').should be_empty
    end
  end
+
+  it "should make both session-related cookies httponly" do
+    u = user_with_pseudonym :active_user => true,
+                            :username => "nobody@example.com",
+                            :password => "asdfasdf"
+    u.save!
+
+    https!
+
+    post "/login", "pseudonym_session[unique_id]" => "nobody@example.com",
+      "pseudonym_session[password]" => "asdfasdf",
+      "pseudonym_session[remember_me]" => "1",
+      "redirect_to_ssl" => "1"
+    assert_response 302
+    response['Set-Cookie'].each do |cookie|
+      if cookie =~ /\Apseudonym_credentials=/ || cookie =~ /\A_normandy_session=/
+        cookie.should match(/; *HttpOnly/)
+      end
+    end
+  end
 end