Class: Contrast::Framework::Rack::Patch::SessionCookie

Inherits:

Object

• Object
• Contrast::Framework::Rack::Patch::SessionCookie

Extended by:

Utils::InvalidConfigurationUtil

Includes:

Components::Interface

Defined in:

lib/contrast/framework/rack/patch/session_cookie.rb

Overview

Our patch into the Rack::Session::Cookie Class, allowing for the runtime detection of insecure configurations on individual cookies within the application

Constant Summary

CS__SECURE_RULE_NAME =

'secure-flag-missing'

CS__HTTPONLY_NAME =

'rails-http-only-disabled'

CS__SESSION_TIMEOUT_NAME =

'session-timeout'

SAFE_SESSION_TIMEOUT =

(30 * 60 * 60)

Constants included from Utils::InvalidConfigurationUtil

Utils::InvalidConfigurationUtil::CS__PATH, Utils::InvalidConfigurationUtil::CS__SESSION_ID, Utils::InvalidConfigurationUtil::CS__SNIPPET

Class Method Summary

• .analyze(options) ⇒ Object
• .instrument ⇒ Object

Methods included from Utils::InvalidConfigurationUtil

cs__report_finding

Methods included from Components::Interface

included

Class Method Details

.analyze(options) ⇒ Object

# File 'lib/contrast/framework/rack/patch/session_cookie.rb', line 38

def analyze options
  return unless AGENT.enabled?
  return if ASSESS.forcibly_disabled?

  apply_session_timeout(options)
  apply_httponly(options)
  apply_secure_session(options)
end

.instrument ⇒ Object

# File 'lib/contrast/framework/rack/patch/session_cookie.rb', line 25

def instrument
  @_instrument ||= begin
    ::Rack::Session::Cookie.class_eval do
      alias_method :cs__patched_initialize, :initialize
      def initialize app, options = {}
        Contrast::Framework::Rack::Patch::SessionCookie.analyze(options)
        cs__patched_initialize(app, options)
      end
    end
    true
  end
end