[Zope3-checkins] CVS: Zope3/lib/python/Zope/App/OFS/Services/SessionService/tests - testCookieSessionService.py:1.2
Itamar Shtull-Trauring
zope@itamarst.org
Thu, 5 Dec 2002 12:10:35 -0500
Update of /cvs-repository/Zope3/lib/python/Zope/App/OFS/Services/SessionService/tests
In directory cvs.zope.org:/tmp/cvs-serv31554/tests
Modified Files:
testCookieSessionService.py
Log Message:
make session id cookies unforgeable, although session hijacking is still possible
=== Zope3/lib/python/Zope/App/OFS/Services/SessionService/tests/testCookieSessionService.py 1.1 => 1.2 ===
--- Zope3/lib/python/Zope/App/OFS/Services/SessionService/tests/testCookieSessionService.py:1.1 Wed Dec 4 16:46:16 2002
+++ Zope3/lib/python/Zope/App/OFS/Services/SessionService/tests/testCookieSessionService.py Thu Dec 5 12:10:35 2002
@@ -50,7 +50,7 @@
def setCookie(self, k, v, **kw):
self.sets += 1
self.cookies[k] = v
- if not abs(parse_http_date(kw["expires"]) - int(time.time()) - 1800) < 1:
+ if not abs(parse_http_date(kw["expires"]) - int(time.time()) - 1800) < 3:
raise AssertionError
@@ -105,6 +105,12 @@
svc.invalidate(svc.getSessionId(req))
d2 = getSessionDataObject(self.rootFolder, req, "dm")
self.assertEquals(d2, {})
+
+ def testForgingCookies(self):
+ for fakeValue in ["dsada", "2" * 54]:
+ req = FakeRequest()
+ self.svc.setRequestId(req, fakeValue)
+ self.assertEquals(self.svc.getRequestId(req), None)
class CookieServiceTestCase(SessionServiceTestCaseMixin, TestCase):