[Catalyst-commits] r10246 - in Catalyst-Plugin-Session/0.00/trunk: . t

t0m at dev.catalyst.perl.org t0m at dev.catalyst.perl.org
Sat May 23 11:01:45 GMT 2009 

Author: t0m
Date: 2009-05-23 11:01:44 +0000 (Sat, 23 May 2009)
New Revision: 10246

Added:
   Catalyst-Plugin-Session/0.00/trunk/t/live_session_fixation.t
Modified:
   Catalyst-Plugin-Session/0.00/trunk/Changes
Log:
No session fixation I can see here

Modified: Catalyst-Plugin-Session/0.00/trunk/Changes
===================================================================
--- Catalyst-Plugin-Session/0.00/trunk/Changes	2009-05-23 10:56:27 UTC (rev 10245)
+++ Catalyst-Plugin-Session/0.00/trunk/Changes	2009-05-23 11:01:44 UTC (rev 10246)
@@ -1,5 +1,9 @@
 Revision history for Perl extension Catalyst::Plugin::Session
 
+        - Add a test case to prove that logging in with a session cookie still causes
+          a new cookie to be issued for you, proving that the code is not vulnerable
+          to a session fixation attack.
+
 0.22 2009-05-13
         - INSANE HACK to ensure B::Hooks::EndOfScope inlines us a new method right now
           in Catalyst::Plugin::Session::Test::Store for Catalyst 5.80004 compatibility. 

Added: Catalyst-Plugin-Session/0.00/trunk/t/live_session_fixation.t
===================================================================
--- Catalyst-Plugin-Session/0.00/trunk/t/live_session_fixation.t	                        (rev 0)
+++ Catalyst-Plugin-Session/0.00/trunk/t/live_session_fixation.t	2009-05-23 11:01:44 UTC (rev 10246)
@@ -0,0 +1,33 @@
+#!/usr/bin/perl
+
+use strict;
+use warnings;
+
+use Test::More;
+
+BEGIN {
+    eval { require Catalyst::Plugin::Session::State::Cookie; Catalyst::Plugin::Session::State::Cookie->VERSION(0.03) }
+      or plan skip_all =>
+      "Catalyst::Plugin::Session::State::Cookie 0.03 or higher is required for this test";
+
+    eval { require Test::WWW::Mechanize::Catalyst }
+      or plan skip_all =>
+      "Test::WWW::Mechanize::Catalyst is required for this test";
+
+    plan tests => 2;
+}
+
+use lib "t/lib";
+use Test::WWW::Mechanize::Catalyst "SessionTestApp";
+
+my $injected_cookie = "sessiontestapp_session=89c3a019866af6f5a305e10189fbb23df3f4772c";
+
+my $ua1 = Test::WWW::Mechanize::Catalyst->new;
+$ua1->add_header('Cookie' => $injected_cookie);
+
+my $res = $ua1->get( "http://localhost/login" );
+my $cookie = $res->header('Set-Cookie');
+
+ok $cookie;
+isnt $cookie, qr/$injected_cookie/, 'Logging in generates us a new cookie';
+

More information about the Catalyst-commits mailing list