如何告诉WWW :: Mechanize忽略安全cookie?
[英]How do I tell WWW::Mechanize to ignore a secure cookie?
问题描述
I need to work with a legacy CGI program and I am writing tests for it. 
我需要使用遗留的CGI程序,我正在为它编写测试。 I use Test::WWW::Mechanize::CGI for that. 我使用Test :: WWW :: Mechanize :: CGI 。 The application runs on https in production, and the home-made session handling simply throws out a cookie, which has the secure option set. 该应用程序在生产中的https上运行,而自制的会话处理只会抛出一个cookie,该cookie具有安全选项集。
my $cookie = $q->cookie(
-name => 'session',
-value => 'foobar',
-expires => '+24h',
-secure => 1, # this is the culprit
-httponly => 1,
-samesite => 'Strict',
;
While this makes sense under the https URL in production, it breaks my tests because I don't have SSL support there. 虽然这在生产中的https URL下是有意义的,但它会破坏我的测试,因为我没有SSL支持。
The obvious solution would be to put in a switch that only enables this option on the cookie if there is SSL available, but I don't want to do that at this point. 显而易见的解决方案是放入一个只在有可用SSL的情况下在cookie上启用此选项的开关,但此时我不想这样做。 Instead, I want to find out how to disable this thing from the testing end. 相反,我想知道如何从测试端禁用此东西。
Here's an example that illustrates what I'm talking about. 这是一个例子,说明了我在说什么。 It uses things in CGI.pm that I would usually discourage people from using. 它使用CGI.pm中的东西,我通常会阻止人们使用它。 Please bear with me to understand the issue. 请耐心了解这个问题。
use strict;
use warnings;
use CGI;
use Test::WWW::Mechanize::CGI;
use Test::More;
my $mech = Test::WWW::Mechanize::CGI->new;
$mech->cgi(
sub {
my $q = CGI->new;
if ( $q->param('behind_login') ) {
# check if we've got the session cookie
if ( $q->cookie('session') ) {
print $q->header, $q->start_html('Logged in'), $q->h1('Welcome back'), $q->end_html;
}
else {
print $q->header( 'text/plain', '403 Unauthorized' );
}
}
else {
# this is where the user gets logged in
my $cookie = $q->cookie(
-name => 'session',
-value => 'foobar',
-expires => '+24h',
-secure => 1, # this is the culprit
-httponly => 1,
-samesite => 'Strict'
);
print $q->header( -cookie => $cookie ),
$q->start_html('Hello World'),
$q->h1('Hello World'),
$q->end_html;
}
}
);
$mech->get_ok('http://localhost/');
$mech->get_ok('http://localhost/?behind_login=1');
done_testing;
If this program is run, the first test will pass, and the second one will fail. 如果运行此程序,第一个测试将通过,第二个测试将失败。 If the marked line with the -secure option is commented out, the second test will pass, too. 如果带有-secure选项的标记行被注释掉,第二个测试也将通过。
I've rummaged around in LWP::UserAgent a bit, but haven't found where this could be disabled. 我在LWP :: UserAgent中翻找了一下,但是没有找到可以禁用的地方。 I'm aware that this is the default behavior and that it's good that it behaves like this. 我知道这是默认行为,它表现得像这样好。
There might be an option to turn this off that I have failed to see when I was studying the docs, but it's likely there is not. 可能有一个选项可以解决这个问题,我在研究文档的时候没有看到,但很可能没有。 I am fine with monkey-patching this thing away once I understand where to do that. 一旦我明白在哪里做这件事,我就可以把这个东西修好。
1 个解决方案
解决方案1
0 2017-07-21 10:49:47
The solution is trivial. 解决方案是微不足道的。 Just call get_ok with https URL. 只需使用https网址调用get_ok 。 Mechanize will simply do the right thing. 机械化将只是做正确的事情。 The request will know that it's secure, and stuff will work. 该请求将知道它是安全的,并且东西将起作用。
$mech->get_ok('https://localhost/');
$mech->get_ok('https://localhost/?behind_login=1');
There is no need to monkey-patch anything at all. 根本不需要修补任何东西。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.