class Rack::Protection::CookieTossing

Prevented attack

Cookie Tossing

Supported browsers

all

More infos

github.com/blog/1466-yummy-cookies-across-domains

Does not accept HTTP requests if the HTTP_COOKIE header contains more than one session cookie. This does not protect against a cookie overflow attack.

Options:

session_key

The name of the session cookie (default: ‘rack.session’)

Public Instance Methods

accepts?(env) click to toggle source
# File lib/rack/protection/cookie_tossing.rb, line 30
def accepts?(env)
  cookie_header = env['HTTP_COOKIE']
  cookies = Rack::Utils.parse_query(cookie_header, ';,') { |s| s }
  cookies.each do |k, v|
    if (k == session_key && Array(v).size > 1) ||
       (k != session_key && Rack::Utils.unescape(k) == session_key)
      bad_cookies << k
    end
  end
  bad_cookies.empty?
end
bad_cookies() click to toggle source
# File lib/rack/protection/cookie_tossing.rb, line 57
def bad_cookies
  @bad_cookies ||= []
end
call(env) click to toggle source
Calls superclass method Rack::Protection::Base#call
# File lib/rack/protection/cookie_tossing.rb, line 22
def call(env)
  status, headers, body = super
  response = Rack::Response.new(body, status, headers)
  request = Rack::Request.new(env)
  remove_bad_cookies(request, response)
  response.finish
end
redirect(env) click to toggle source
# File lib/rack/protection/cookie_tossing.rb, line 51
def redirect(env)
  request = Request.new(env)
  warn env, "attack prevented by #{self.class}"
  [302, { 'Content-Type' => 'text/html', 'Location' => request.path }, []]
end
remove_bad_cookies(request, response) click to toggle source
# File lib/rack/protection/cookie_tossing.rb, line 42
def remove_bad_cookies(request, response)
  return if bad_cookies.empty?

  paths = cookie_paths(request.path)
  bad_cookies.each do |name|
    paths.each { |path| response.set_cookie name, empty_cookie(request.host, path) }
  end
end
session_key() click to toggle source
# File lib/rack/protection/cookie_tossing.rb, line 72
def session_key
  @session_key ||= options[:session_key]
end