How to generate a signed Rails session cookie

Bypass the sign-in process by sending a signed session cookie in the HTTP headers.

In my last article I wrote about testing the Twitter sign-in process by visiting Twitter, signing in to a real account, authorizing the application and returning to the callback url. We followed the exact path that the user follows to ensure that sign-in integrates flawlessly with Twitter. As we begin testing the rest of our application we'll need users to sign in but they don't need to follow the end-to-end sign-in path.

Most authentication systems provide a way of bypassing the sign-in process under the test environment but I had trouble coming up with a good solution for OmniAuth (pre 0.2.0). Passing an acceptable hash of attributes to the OmniAuth callback url was the initial idea but before leaving the middleware, OmniAuth makes a GET request to Twitter verifying account credentials. Sure, I could use EphemeralResponse to cache this request but with sign-in thoroughly tested elsewhere, the rest of my suite should sign in as simply as possible.

I can't easily go through OmniAuth without faking the Twitter interaction or monkeypatching the library so I decided to bypass OmniAuth altogether. When OmniAuth is successful, the user is signed in via their session. To mimic this behavior, all we have to do is to send a legitimately signed session cookie to the server. Unfortunately, generating a signed session cookie is not a straightforward process but after reading through a fair amount of source I wrote a class to generate them:

class SessionCookieGenerator
  extend Forwardable
  def_delegators :session_hash, :[], :[]=

  attr_reader :session_hash, :session_key

  def initialize
    @session_key = Rails.configuration.session_options[:key]
    @session_hash  = {"session_id" => SecureRandom.hex(32)}
    @cookie_jar =, Capybara.default_host)

  def to_s

  def signed_session_value
    @cookie_jar.signed[session_key] = {:value => session_hash.to_hash}

Initialize a new object, set a session key and value, then call #to_s to retrieve the signed session cookie string.

Here's how you use it:

Given /^I am signed in as (.+)$/ do |nickname|
  @current_user = User.find_by_nickname(nickname)
  session_generator =
  session_generator['user_id'] =
  page.driver.set_cookie session_generator.to_s
  page.driver.get "/"

The above snippet assumes that a user is signed in via session[:user_id].

Now you can sign in without going through the sign-in form; just make sure at least one test actually goes through the full sign-in process.

blog comments powered by Disqus
Gingerbread cookie on a string with "My little cuddlebear" written on it in icing

Photo taken by Grufnik