class Rack::Protection::CookieTossing

Prevented attack

Cookie Tossing

Supported browsers

all

More infos

github.com/blog/1466-yummy-cookies-across-domains

Does not accept HTTP requests if the HTTP_COOKIE header contains more than one session cookie. This does not protect against a cookie overflow attack.

Options:

session_key

The name of the session cookie (default: 'rack.session')

Public Instance Methods

accepts?(env) click to toggle source
# File lib/rack/protection/cookie_tossing.rb, line 28
def accepts?(env)
  cookie_header = env['HTTP_COOKIE']
  cookies = Rack::Utils.parse_query(cookie_header, ';,') { |s| s }
  cookies.each do |k, v|
    if k == session_key && Array(v).size > 1
      bad_cookies << k
    elsif k != session_key && Rack::Utils.unescape(k) == session_key
      bad_cookies << k
    end
  end
  bad_cookies.empty?
end
bad_cookies() click to toggle source
# File lib/rack/protection/cookie_tossing.rb, line 55
def bad_cookies
  @bad_cookies ||= []
end
call(env) click to toggle source
Calls superclass method Rack::Protection::Base#call
# File lib/rack/protection/cookie_tossing.rb, line 20
def call(env)
  status, headers, body = super
  response = Rack::Response.new(body, status, headers)
  request = Rack::Request.new(env)
  remove_bad_cookies(request, response)
  response.finish
end
redirect(env) click to toggle source
# File lib/rack/protection/cookie_tossing.rb, line 49
def redirect(env)
  request = Request.new(env)
  warn env, "attack prevented by #{self.class}"
  [302, {'Content-Type' => 'text/html', 'Location' => request.path}, []]
end
remove_bad_cookies(request, response) click to toggle source
# File lib/rack/protection/cookie_tossing.rb, line 41
def remove_bad_cookies(request, response)
  return if bad_cookies.empty?
  paths = cookie_paths(request.path)
  bad_cookies.each do |name|
    paths.each { |path| response.set_cookie name, empty_cookie(request.host, path) }
  end
end
session_key() click to toggle source
# File lib/rack/protection/cookie_tossing.rb, line 70
def session_key
  @session_key ||= options[:session_key]
end