Maintain an emulation of a functionally-pure :session so as not to break the contract with other middleware that expects the ring requests/responses to be pure.
This was just a cleanup needed so that middleware like friend doesn't leak information into :session that it is trying to dissoc. I get a little fastidious about things that are security-related, which this is.
Store *noir-session* managed keys in :noir map inside :session. Maint…
…ain an emulation of a functionally-pure :session so as not to break the contract with other middleware that expects the ring requests/responses to be pure.
@ibdknox This makes sense and looks good, but I wanted to ping you and see if you could look over it if you've got a minute before I merge it in, just for completeness sake. No hurry.
add two more tests for removing :session or assigning it to nil
@Raynes seems reasonable to me.
It's worth noting that this change causes some unintuitive behavior compared to previous behavior -- this means that sessions aren't updated, and therefore session expiration times can't be changed by the ring handler, unless a response explicitly modifies the session. (we just noticed this in production after an upgrade)
our work around is to explicitly assoc the session each time using another middleware.