diff --git a/rack-protection/lib/rack/protection/session_hijacking.rb b/rack-protection/lib/rack/protection/session_hijacking.rb index 4ab047a12b..a7dd54b742 100644 --- a/rack-protection/lib/rack/protection/session_hijacking.rb +++ b/rack-protection/lib/rack/protection/session_hijacking.rb @@ -14,7 +14,7 @@ module Protection class SessionHijacking < Base default_reaction :drop_session default_options :tracking_key => :tracking, :encrypt_tracking => true, - :track => %w[HTTP_USER_AGENT HTTP_ACCEPT_LANGUAGE] + :track => %w[HTTP_USER_AGENT] def accepts?(env) session = session env diff --git a/rack-protection/spec/lib/rack/protection/session_hijacking_spec.rb b/rack-protection/spec/lib/rack/protection/session_hijacking_spec.rb index 2e5bfab56f..11d655c5ff 100644 --- a/rack-protection/spec/lib/rack/protection/session_hijacking_spec.rb +++ b/rack-protection/spec/lib/rack/protection/session_hijacking_spec.rb @@ -23,27 +23,6 @@ expect(session).not_to be_empty end - it "denies requests with a changing Accept-Language header" do - session = {:foo => :bar} - get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'a' - get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'b' - expect(session).to be_empty - end - - it "accepts requests with the same Accept-Language header" do - session = {:foo => :bar} - get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'a' - get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'a' - expect(session).not_to be_empty - end - - it "comparison of Accept-Language header is not case sensitive" do - session = {:foo => :bar} - get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'a' - get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'A' - expect(session).not_to be_empty - end - it "accepts requests with a changing Version header"do session = {:foo => :bar} get '/', {}, 'rack.session' => session, 'HTTP_VERSION' => '1.0'