Clever Geek Handbook

How do I tell WWW :: Mechanize to ignore a secure cookie?

I need to work with a legacy CGI program and I am writing tests for it. I am using Test :: WWW :: Mechanize :: CGI . The app runs on https during production, and the session handling done by the home session just throws out a cookie that has a secure set of parameters.

my $cookie = $q->cookie(
    -name     => 'session',
    -value    => 'foobar',
    -expires  => '+24h',
    -secure   => 1,           # this is the culprit
    -httponly => 1,
    -samesite => 'Strict',
;

While this makes sense under https url in production, it breaks my tests because I don't have SSL support.

The obvious solution would be to enable a switch that will only use this setting in the cookie if there is SSL, but I don't want to do that at this point. Instead, I want to know how to disable this thing from the end of testing.

Here's an example to illustrate what I'm talking about. It uses things in CGI.pm that I usually discourage people from using. Please bear with me to understand the problem.

use strict;
use warnings;
use CGI;
use Test::WWW::Mechanize::CGI;
use Test::More;

my $mech = Test::WWW::Mechanize::CGI->new;
$mech->cgi(
    sub {
        my $q = CGI->new;

        if ( $q->param('behind_login') ) {
            # check if we've got the session cookie
            if ( $q->cookie('session') ) {
                print $q->header, $q->start_html('Logged in'), $q->h1('Welcome back'), $q->end_html;
            }
            else {
                print $q->header( 'text/plain', '403 Unauthorized' );
            }
        }
        else {
            # this is where the user gets logged in
            my $cookie = $q->cookie(
                -name     => 'session',
                -value    => 'foobar',
                -expires  => '+24h',
                -secure   => 1,           # this is the culprit
                -httponly => 1,
                -samesite => 'Strict'
            );

            print $q->header( -cookie => $cookie ),
                $q->start_html('Hello World'),
                $q->h1('Hello World'),
                $q->end_html;
        }
    }
);

$mech->get_ok('http://localhost/');
$mech->get_ok('http://localhost/?behind_login=1');

done_testing;

If this program is running, the first test will pass and the second will fail. If the marked option line is -secure

commented out, the second test will pass as well.

I did a little bit of LWP :: UserAgent but couldn't find where this can be disabled. I know this is the default behavior and it's good that it behaves like this.

There might be an option to turn this off, which I couldn't see when I was looking at the docs, but most likely not. I'm fine with monkey - fixing this thing as soon as I figure out where to do it.

+3


source to share


1 answer


The solution is trivial. Just call get_ok

using https

url. Mechanization will just go right. The request will know that it is protected and everything will work.

$mech->get_ok('https://localhost/');
$mech->get_ok('https://localhost/?behind_login=1');


There is no need to disarm anything at all.

0


source






More articles:


All Articles