Project

cookie_slasher

0.0
No commit activity in last 3 years
No release in over 3 years
cookie_slasherolek/cookie_slasherHomepageDocumentationSource CodeBug TrackerWiki
Use this gem as an extra layer of protection if your system has any HTTP accelerators in front of it, like varnish.
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Popularity
Downloads
3,672
Stars
3
Forks
0
Watchers
1
 Releases
Current version
0.0.1
Total releases
1
First release
2014-04-18
Latest release
2014-04-18
 Pull Requests
Open Pull Requests
0
Closed Pull Requests
0
Merged Pull Requests
1
Pull Request Acceptance Rate
100%
 Development
Primary Language
Ruby
Licenses
MIT
Average date of last 50 commits
2014-04-20
Reverse Dependencies
0

 Dependencies
 Project Readme

cookie_slasher

Build Status

Synopsis

Rack middleware, removes cookies from responses that are likely to be accidentally cached.

Audience

Use this gem as an extra layer of protection if your system has any HTTP accelerator in front of it, like Varnish. And by the way, Fastly is all about Varnish.

Why?

It is often desirable to create configuration of accelerator that caches 404 (Page Not Found) and 301 (Permanent Redirect) responses. It is only too easy to make a trivial mistake and cache those pages even when there are cookies set on them.

Consequences of not using it

If session cookie is set on a 404 or 301 response (typical), and that response is cached by HTTP accelerator, your users will suddengly see themself logged in as somebody else, and user session swapping will go wild. Then you will spend days or weeks troubleshooting this problem, because even reproducing it is a challenge. All while users confidence in your system plummets.

Chances of having 'session swapping' problem

Fairly small, but you are always only one step away from it, and consequences are dire.

Usage

First, add this line to your Gemfile

gem 'cookie_slasher'

Second, if you have Rails app, add this line to config/application.rb

config.middleware.insert_before ActionDispatch::Cookies, CookieSlasher

If you have Rack/Sinatra/... app, you just have to 'use' CookieSlasher middleware close to the top of your rackup configuration.

Third, test to make sure it actually works for you.

Logging

CookieSlasher always logs cookies it is removing from response to avoid any surprises. If your app is Rails app, it logs to standard rails logger. If not, it logs to 'rack.error' stream, or to logger provided in configuration. If you feel like complaining that its log is too verbose and noisy, read next paragraph.

Abuse

Relying on it to catch ALL your cookies (especially session cookies) ALL the time will work, but is considered to be an abusive behavior. CookieSlasher is just a safeguard, it is not intended to be actively working all the time removing those cookies from requests. It can do that, but that is just bad taste and design. If you see in your application log that CookieSlasher is often removing cookies, please do work on your application code to make it stop creating them in the first place. If you have Rails app, this line of code may come in handy:

request.session_options[:skip] = true