Skip to content

Instantly share code, notes, and snippets.

@moro

moro/gist:1303486

Created October 21, 2011 10:00
Show Gist options
  • Save moro/1303486 to your computer and use it in GitHub Desktop.
Save moro/1303486 to your computer and use it in GitHub Desktop.
Download ZIP
protect rails w/cookie-session agains #wasbook 4.8.2 case.
Raw
gistfile1.rb
require 'digest/sha1'
module SecureCookieViolationProtect
extend ActiveSupport::Concern
included do
before_filter do
return true unless request.ssl?
return true if secure_cookie_token(session[:token]) == cookies[:secure_cookie_token]
head(:bad_request)
end
end
def reset_session
super
session[:token] = SecureRandom.hex
cookies[:secure_cookie_token] = {value: secure_cookie_token(session[:token]), secure: true}
end
private
def secure_cookie_token(token)
Digest::SHA1.hexdigest([token, Rails.application.config.secret_token].join("\0"))
end
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment