sinatra / rack-protection

NOTE: This project has been merged upstream to sinatra/sinatra
https://github.com/sinatra/sinatra/tree/master/rack-protection
818 stars 58 forks source link

Add cookie tossing protection #113

Closed jkowens closed 8 years ago

jkowens commented 8 years ago

Mitigate malicious session cookies set on a subdomain from being read by the parent domain. Resolves sinatra/sinatra#1155.

I've set the default reaction to deny the request, but I've added a method so that it could be configured to redirect as described in the Github blog.

use Rack::Protection::CookieTossing, :reaction => :redirect

There is also an option to set the session cookie name (the default is rack.session):

use Rack::Protection::CookieTossing, :session_key => '_session'
zzak commented 8 years ago

@jkowens Thank you!