我正在编写集成测试,以确保我的webapp不易受会话固定的影响。
我已经手动验证reset_session实际上是在验证逻辑中启动了,而且当我使用我的Web浏览器登录时,cookie确实发生了变化(因此,我不再容易受到会话固定的影响) ,但我无法通过RSpec集成测试来成功验证这一点。
这是我的RSpec集成测试。
require 'spec_helper'
describe "security" do
self.use_transactional_fixtures = false
append_after(:each) do
ALL_MODELS.each &:delete_all
end
describe "session fixation" do
it "should change the cookie session id after logging in" do
u = test_user :active_user => true,
:username => "nobody@example.com",
:password => "asdfasdf"
u.save!
https!
get_via_redirect "/login"
assert_response :success
cookie = response.header["Set-Cookie"].split(";").select{|x| x.match(/_session/)}[0].split("=")[1].strip
post_via_redirect "/login", "user[email]" => "nobody@example.com",
"user[password]" => "asdfasdf",
"user[remember_me]" => "1"
assert_response :success
path.should eql("/dashboard")
cookie.should_not eql(response.header["Set-Cookie"].split(";").select{|x| x.match(/_session/)}[0].split("=")[1].strip)
end
end
end
除了之外,最后一个断言的所有内容都是。 cookie不会改变。
RS {/ 1}}无法按预期工作的RSpec / Rails集成测试是否存在任何已知问题?如何编写验证会话固定的测试不是问题?
答案 0 :(得分:0)
所以我最终最终确定了这一点。
我试图直接编辑响应标头以测试cookie,但我想这不是有福的方式。
无论如何,在使用Rails 2.x的集成测试中,您可以使用cookie哈希。以下是测试结果如下:
u = test_user :active_user => true,
:username => "nobody@example.com",
:password => "asdfasdf"
u.save!
https!
get_via_redirect "/login"
assert_response :success
cookie = cookies['_session']
cookie.should be_present
path.should == "/login"
post_via_redirect "/login", "user[email]" => "nobody@example.com",
"user[password]" => "asdfasdf",
"user[remember_me]" => "1"
assert_response :success
path.should eql("/?login_success=1")
new_cookie = cookies['_session']
new_cookie.should be_present
cookie.should_not eql(new_cookie)