0
@@ -13,8 +13,8 @@ module ActionController #:nodoc:
0
     #   (default). Additionally, there is CGI::Session::DRbStore and CGI::Session::ActiveRecordStore. Read more about these in
0
     #   lib/action_controller/session.
0
     # * <tt>:session_key</tt> - the parameter name used for the session id. Defaults to '_session_id'.
0
-    # * <tt>:session_id</tt> - the session id to use.  If not provided, then it is retrieved from the +session_key+ parameter
0
-    #   of the request, or automatically generated for a new session.
0
+    # * <tt>:session_id</tt> - the session id to use.  If not provided, then it is retrieved from the +session_key+ cookie, or 
0
+    #   automatically generated for a new session.
0
     # * <tt>:new_session</tt> - if true, force creation of a new session.  If not set, a new session is only created if none currently
0
     #   exists.  If false, a new session is never created, and if none currently exists and the +session_id+ option is not set,
0
     #   an ArgumentError is raised.
0
@@ -24,6 +24,8 @@ module ActionController #:nodoc:
0
     #   server.
0
     # * <tt>:session_secure</tt> - if +true+, this session will only work over HTTPS.
0
     # * <tt>:session_path</tt> - the path for which this session applies.  Defaults to the directory of the CGI script.
0
+    # * <tt>:cookie_only</tt> - if +true+ (the default), session IDs will only be accepted from cookies and not from
0
+    #   the query string or POST parameters. This protects against session fixation attacks.
0
     def self.process_cgi(cgi = CGI.new, session_options = {})
0
       new.process_cgi(cgi, session_options)
0
     end
0
@@ -34,18 +36,21 @@ module ActionController #:nodoc:
0
   end
0
 
0
   class CgiRequest < AbstractRequest #:nodoc:
0
-    attr_accessor :cgi, :session_options
0
+    attr_accessor :cgi, :session_options, :cookie_only
0
+    class SessionFixationAttempt < StandardError; end #:nodoc:
0
 
0
     DEFAULT_SESSION_OPTIONS = {
0
       :database_manager => CGI::Session::PStore,
0
       :prefix           => "ruby_sess.",
0
-      :session_path     => "/"
0
+      :session_path     => "/",
0
+      :cookie_only      => true
0
     } unless const_defined?(:DEFAULT_SESSION_OPTIONS)
0
 
0
     def initialize(cgi, session_options = {})
0
       @cgi = cgi
0
       @session_options = session_options
0
       @env = @cgi.send(:env_table)
0
+      @cookie_only = session_options.delete :cookie_only
0
       super()
0
     end
0
 
0
@@ -109,6 +114,9 @@ module ActionController #:nodoc:
0
           @session = Hash.new
0
         else
0
           stale_session_check! do
0
+            if @cookie_only && request_parameters[session_options_with_string_keys['session_key']]
0
+              raise SessionFixationAttempt
0
+            end
0
             case value = session_options_with_string_keys['new_session']
0
               when true
0
                 @session = new_session