I am writing an integration test to make sure my webapp is not vulnerable to session fixation.
I checked manually that reset_session actually runs in the authentication logic, and besides that the cookie really changes when I log in to my web browser (so that I am no longer vulnerable to commit the session), but I canβt get my RSpec integration test. to successfully verify this.
Here is my RSpec integration test.
require 'spec_helper' describe "security" do self.use_transactional_fixtures = false append_after(:each) do ALL_MODELS.each &:delete_all end describe "session fixation" do it "should change the cookie session id after logging in" do u = test_user :active_user => true, :username => " nobody@example.com ", :password => "asdfasdf" u.save! https! get_via_redirect "/login" assert_response :success cookie = response.header["Set-Cookie"].split(";").select{|x| x.match(/_session/)}[0].split("=")[1].strip post_via_redirect "/login", "user[email]" => " nobody@example.com ", "user[password]" => "asdfasdf", "user[remember_me]" => "1" assert_response :success path.should eql("/dashboard") cookie.should_not eql(response.header["Set-Cookie"].split(";").select{|x| x.match(/_session/)}[0].split("=")[1].strip) end end end
Everything works, except for the most recent statement. The cookie does not change.
Are there any known issues with RSpec / Rails integration tests where reset_session does not work as expected? What can I do to write a test that checks for session fixation is not a problem?
source share