Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix invalid session ID handling #2347

Merged
merged 1 commit into from May 6, 2020
Merged

Fix invalid session ID handling #2347

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
8 changes: 7 additions & 1 deletion Sources/Vapor/Sessions/SessionsMiddleware.swift
View file
Open in desktop
Expand Up @@ -42,7 +42,13 @@ public final class SessionsMiddleware: Middleware {
// A cookie value exists, get the session for it.
let id = SessionID(string: cookieValue.string)
return self.session.readSession(id, for: request).flatMap { data in
request._sessionCache.session = .init(id: id, data: data ?? .init())
if let data = data {
// Session found, restore data and id.
request._sessionCache.session = .init(id: id, data: data)
} else {
// Session id not found, create new session.
request._sessionCache.session = .init()
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me!

return next.respond(to: request).flatMap { res in
return self.addCookies(to: res, for: request)
}
Expand Down
52 changes: 52 additions & 0 deletions Tests/VaporTests/SessionTests.swift
View file
Open in desktop
Expand Up @@ -70,6 +70,58 @@ final class SessionTests: XCTestCase {
}
}

func testInvalidCookie() throws {
let app = Application(.testing)
defer { app.shutdown() }

// Configure sessions.
app.sessions.use(.memory)
app.middleware.use(app.sessions.middleware)

// Adds data to the request session.
app.get("set") { req -> HTTPStatus in
req.session.data["foo"] = "bar"
return .ok
}

// Fetches data from the request session.
app.get("get") { req -> String in
guard let foo = req.session.data["foo"] else {
throw Abort(.badRequest)
}
return foo
}


// Test accessing session with no cookie.
try app.test(.GET, "get") { res in
XCTAssertEqual(res.status, .badRequest)
}

// Test setting session with invalid cookie.
var newCookie: HTTPCookies.Value?
try app.test(.GET, "set", beforeRequest: { req in
req.headers.cookie = ["vapor-session": "foo"]
}, afterResponse: { res in
// We should get a new cookie back.
newCookie = res.headers.setCookie?["vapor-session"]
XCTAssertNotNil(newCookie)
// That is not the same as the invalid cookie we sent.
XCTAssertNotEqual(newCookie?.string, "foo")
XCTAssertEqual(res.status, .ok)
})

// Test accessing newly created session.
try app.test(.GET, "get", beforeRequest: { req in
// Pass cookie from previous request.
req.headers.cookie = ["vapor-session": newCookie!]
}, afterResponse: { res in
// Session access should be successful.
XCTAssertEqual(res.body.string, "bar")
XCTAssertEqual(res.status, .ok)
})
}

func testCookieQuotes() throws {
var headers = HTTPHeaders()
headers.replaceOrAdd(name: .cookie, value: #"foo= "+cookie/value" "#)
Expand Down