Kai Ramuenke

In my last post i explained, how to test session protected resources with selenium rc and ruby. While we were migrating to Rails 2.3 all such tests suddenly stopped working because the JavaScript didn’t return the session cookie anymore. After some research we found out that you can control accessibility to the session cookie through the browser by sending a little flag in the HTTP response header for Set-Cookie.

response.setHeader("Set-Cookie", "cookie_name=cookie_value; HTTPOnly=");

By setting this flag you basically prevent any JavaScript from accessing the session cookie. Rails now sets this flag by default which makes it less vulnerably against cross scripting attacks.
You can find all information you need including a list of supporting browsers here

Tags: Add new tag, Testing

This entry was posted on Wednesday, May 20th, 2009 at 11:28 pm and is filed under Agile Software Development, ThoughtBlog. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.