Simplify Rack::Protection::SessionHijack

The underlying sessions are now fully encrypted. We can just rely on this feature to protect the header canaries used by SessionHijack.
sinatra · Jul 11, 2017 · 7440f22 · 7440f22
1 parent 70da2a4
commit 7440f22
Showing 1 changed file with 5 additions and 6 deletions.
diff --git a/rack-protection/lib/rack/protection/session_hijacking.rb b/rack-protection/lib/rack/protection/session_hijacking.rb
@@ -13,23 +13,22 @@ module Protection
     # spoofed, too, this will not prevent determined hijacking attempts.
     class SessionHijacking < Base
       default_reaction :drop_session
-      default_options :tracking_key => :tracking, :encrypt_tracking => true,
+      default_options :tracking_key => :tracking,
         :track => %w[HTTP_USER_AGENT HTTP_ACCEPT_LANGUAGE]
 
       def accepts?(env)
         session = session env
         key     = options[:tracking_key]
         if session.include? key
-          session[key].all? { |k,v| v == encrypt(env[k]) }
+          session[key].all? { |k,v| v == encode(env[k]) }
         else
           session[key] = {}
-          options[:track].each { |k| session[key][k] = encrypt(env[k]) }
+          options[:track].each { |k| session[key][k] = encode(env[k]) }
         end
       end
 
-      def encrypt(value)
-        value = value.to_s.downcase
-        options[:encrypt_tracking] ? super(value) : value
+      def encode(value)
+        value.to_s.downcase
       end
     end
   end