Skip to main content

Ruby: Using reset_session in Rails with Cucumber and Webrat

I filed the following bug:
All the Rails security guides say that you should call reset_session after the user logs in or logs out. This clears out the session and forces a new session ID to be created. It seems there have been a few Rails bugs related to reset_session over the years. However, I'm now worried that there's a conflict somewhere related to Rails' testing infrastructure and/or Webrat.

In my login action, I call reset_session and then put a nice message in flash. When I actually use the website, I can see (via Firefox) that I'm getting a new session ID, and I can see my flash message. However, when I write tests for those two things, the flash message gets lost, and I don't get a new session ID in my cookies. It's almost as if the new session is being ignored, and the old session is being used.

I'm sorry, but I can't tell exactly where the problem is. I know that there's special Rails code that handles session cookies when you're doing integration testing.

I'm using actionpack-2.3.8 and webrat-0.7.1.
Here's how I did my best to work around the problem.

First of all, I'm storing my sessions in the database. Hence, I created an ActiveRecord model to manually delete session records:
class Session < ActiveRecord::Base
# Rails' reset_session has been nothing but trouble for us. I'm taking
# matters into my own hands. This code will have to change if we stop
# putting our sessions in the database.
def self.nuke_session(session_id)
find_by_session_id!(session_id).destroy
end
end
Since I'm using authlogic, my logout action looks something like this:
def destroy
current_user_session.destroy

# Avoid session fixation attacks. This may seem redundant, but it was
# necessary to make the tests pass.
session[:test_that_this_disappears] = 'ok'
session_id = cookies[ActionController::Base.session_options[:key]]
Session.nuke_session(session_id)
reset_session

redirect_to :action => :logged_out
end
My login action is something like this:
def create
@user_session = UserSession.new(params[:user_session])
unless @user_session.valid?
return render :action => :new
end

# Avoid session fixation attacks by resetting the session.
reset_session
@user_session = UserSession.new(params[:user_session])
@user_session.save!

# For some reason, flash, reset_session, Cucumber, etc. don't get along,
# so I have to pass the flash message via a parameter.
redirect_to(root_url(:login => 1))
end
Instead of setting a message via flash, I pass a query parameter.

I check for this parameter in my ApplicationController:
before_filter :check_for_login_message
...
# For some reason, flash, reset_session, Cucumber, etc. don't get along.
# Hence, after login, we have to pass the flash message via a query parameter
# rather than via flash.
#
# If I have to do this kind of thing again, I'll create a lookup table full
# of messages.
def check_for_login_message
flash.now[:success_message] = "Login successful!" if params[:login]
end
Finally, I have this in a feature file:
# This test should work.  In fact, it does work when you use your browser.
# However, there's a bug somewhere between Rails and Webrat that prevents
# it from working when you use Cucumber. Somehow, reset_session is broken.
#
# Scenario: logging in should invalidate your session cookie
# Given I am on the homepage
# When I look at my session cookie
# And I am logged in
# Then I should have a different session cookie
That test relies on these steps:
# This test should work.  In fact, it does work when you use your browser.
# However, there's a bug somewhere between Rails and Webrat that prevents
# it from working when you use Cucumber. Somehow, reset_session is broken.
#
# Given /^I look at my session cookie$/ do
# @cookie = cookies[ActionController::Base.session_options[:key]]
# end
#
# Then /^I should have a different session cookie$/ do
# new_cookie = cookies[ActionController::Base.session_options[:key]]
# new_cookie.should_not == @cookie
# end

Comments

Popular posts from this blog

Drawing Sierpinski's Triangle in Minecraft Using Python

In his keynote at PyCon, Eben Upton, the Executive Director of the Rasberry Pi Foundation, mentioned that not only has Minecraft been ported to the Rasberry Pi, but you can even control it with Python . Since four of my kids are avid Minecraft fans, I figured this might be a good time to teach them to program using Python. So I started yesterday with the goal of programming something cool for Minecraft and then showing it off at the San Francisco Python Meetup in the evening. The first problem that I faced was that I didn't have a Rasberry Pi. You can't hack Minecraft by just installing the Minecraft client. Speaking of which, I didn't have the Minecraft client installed either ;) My kids always play it on their Nexus 7s. I found an open source Minecraft server called Bukkit that "provides the means to extend the popular Minecraft multiplayer server." Then I found a plugin called RaspberryJuice that implements a subset of the Minecraft Pi modding API for B

Ubuntu 20.04 on a 2015 15" MacBook Pro

I decided to give Ubuntu 20.04 a try on my 2015 15" MacBook Pro. I didn't actually install it; I just live booted from a USB thumb drive which was enough to try out everything I wanted. In summary, it's not perfect, and issues with my camera would prevent me from switching, but given the right hardware, I think it's a really viable option. The first thing I wanted to try was what would happen if I plugged in a non-HiDPI screen given that my laptop has a HiDPI screen. Without sub-pixel scaling, whatever scale rate I picked for one screen would apply to the other. However, once I turned on sub-pixel scaling, I was able to pick different scale rates for the internal and external displays. That looked ok. I tried plugging in and unplugging multiple times, and it didn't crash. I doubt it'd work with my Thunderbolt display at work, but it worked fine for my HDMI displays at home. I even plugged it into my TV, and it stuck to the 100% scaling I picked for the othe

Creating Windows 10 Boot Media for a Lenovo Thinkpad T410 Using Only a Mac and a Linux Machine

TL;DR: Giovanni and I struggled trying to get Windows 10 installed on the Lenovo Thinkpad T410. We struggled a lot trying to create the installation media because we only had a Mac and a Linux machine to work with. Everytime we tried to boot the USB thumb drive, it just showed us a blinking cursor. At the end, we finally realized that Windows 10 wasn't supported on this laptop :-/ I've heard that it took Thomas Edison 100 tries to figure out the right material to use as a lightbulb filament. Well, I'm no Thomas Edison, but I thought it might be noteworthy to document our attempts at getting it to boot off a USB thumb drive: Download the ISO. Attempt 1: Use Etcher. Etcher says it doesn't work for Windows. Attempt 2: Use Boot Camp Assistant. It doesn't have that feature anymore. Attempt 3: Use Disk Utility on a Mac. Erase a USB thumb drive: Format: ExFAT Scheme: GUID Partition Map Mount the ISO. Copy everything from