class Rack::Protection::CookieTossing
- Prevented attack
-
Cookie Tossing
- Supported browsers
-
all
- More infos
Does not accept HTTP requests if the HTTP_COOKIE header contains more than one session cookie. This does not protect against a cookie overflow attack.
Options:
session_key
-
The name of the session cookie (default: ‘rack.session’)
Public Instance Methods
accepts?(env)
click to toggle source
# File lib/rack/protection/cookie_tossing.rb, line 30 def accepts?(env) cookie_header = env['HTTP_COOKIE'] cookies = Rack::Utils.parse_query(cookie_header, ';,') { |s| s } cookies.each do |k, v| if (k == session_key && Array(v).size > 1) || (k != session_key && Rack::Utils.unescape(k) == session_key) bad_cookies << k end end bad_cookies.empty? end
call(env)
click to toggle source
Calls superclass method
Rack::Protection::Base#call
# File lib/rack/protection/cookie_tossing.rb, line 22 def call(env) status, headers, body = super response = Rack::Response.new(body, status, headers) request = Rack::Request.new(env) remove_bad_cookies(request, response) response.finish end
redirect(env)
click to toggle source
# File lib/rack/protection/cookie_tossing.rb, line 51 def redirect(env) request = Request.new(env) warn env, "attack prevented by #{self.class}" [302, { 'Content-Type' => 'text/html', 'Location' => request.path }, []] end
session_key()
click to toggle source
# File lib/rack/protection/cookie_tossing.rb, line 72 def session_key @session_key ||= options[:session_key] end