Koha/t/Output.t
Galen Charlton 7b165794cd Bug 10016: force zero browser-side caching of SCO pages
This patch makes the web-based self-check module pages
specify that no browser (or proxy caching) occur at all.
This prevents a security issue where letting the SCO session time out,
then hitting the back button allowed one to view the previous
patron's session.

This patch adds an optional fifth parameter to output_with_http_headers(),
and output_html_with_http_headers(), a hashref for miscellaneous
options.  One key is defined at the moment: force_no_caching, which if
if present and set to a true value, sets HTTP headers to specify no
browser caching of the page at all.

To test:

[1] Start a web-based self-check session and optionally perform
    some transactions.
[2] Allow the session to time out (it may be helpful to set
    SelfCheckTimeout to a low value such as 10 seconds).
[3] Hit the back button.  You should not see the previous patron's
    self-check session.
[4] Verify that prove -v t/Output.t passes.

Signed-off-by: Galen Charlton <gmc@esilibrary.com>
Signed-off-by: Ed Veal <ed.veal@bywatersolutions.com>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2013-10-21 18:05:12 +00:00

30 lines
883 B
Perl
Executable file

#!/usr/bin/perl
use strict;
use warnings;
use Test::More tests => 5;
use CGI;
BEGIN {
use_ok('C4::Output');
}
my $query = CGI->new();
my $cookie;
my $output = 'foobarbaz';
{
local *STDOUT;
my $stdout;
open STDOUT, '>', \$stdout;
output_html_with_http_headers $query, $cookie, $output, undef, { force_no_caching => 1 };
like($stdout, qr/Cache-control: no-cache, no-store, max-age=0/, 'force_no_caching sets Cache-control as desired');
like($stdout, qr/Expires: /, 'force_no_caching sets an Expires header');
$stdout = '';
close STDOUT;
open STDOUT, '>', \$stdout;
output_html_with_http_headers $query, $cookie, $output, undef, undef;
like($stdout, qr/Cache-control: no-cache[^,]/, 'not using force_no_caching sets Cache-control as desired');
unlike($stdout, qr/Expires: /, 'force_no_caching does not set an Expires header');
}