Browse files

reset_session should force a new session id to be generated [#2173]

  • Loading branch information...
1 parent 4458edc commit 224a534400fd622dda57058d1eed349b8375e5e3 @josh josh committed Mar 9, 2009
View
1 actionpack/lib/action_controller/request.rb
@@ -442,6 +442,7 @@ def session=(session) #:nodoc:
end
def reset_session
+ @env['rack.session.options'].delete(:id)
@env['rack.session'] = {}
end
View
25 actionpack/test/activerecord/active_record_store_test.rb
@@ -21,8 +21,15 @@ def get_session_value
render :text => "foo: #{session[:foo].inspect}"
end
+ def get_session_id
+ session[:foo]
+ render :text => "#{request.session_options[:id]}"
+ end
+
def call_reset_session
+ session[:bar]
reset_session
+ session[:bar] = "baz"
head :ok
end
@@ -71,6 +78,7 @@ def test_setting_session_value_after_session_reset
get '/set_session_value'
assert_response :success
assert cookies['_session_id']
+ session_id = cookies['_session_id']
get '/call_reset_session'
assert_response :success
@@ -79,6 +87,23 @@ def test_setting_session_value_after_session_reset
get '/get_session_value'
assert_response :success
assert_equal 'foo: nil', response.body
+
+ get '/get_session_id'
+ assert_response :success
+ assert_not_equal session_id, response.body
+ end
+ end
+
+ def test_getting_session_id
+ with_test_route_set do
+ get '/set_session_value'
+ assert_response :success
+ assert cookies['_session_id']
+ session_id = cookies['_session_id']
+
+ get '/get_session_id'
+ assert_response :success
+ assert_equal session_id, response.body
end
end
View
40 actionpack/test/controller/session/mem_cache_store_test.rb
@@ -17,11 +17,14 @@ def get_session_value
end
def get_session_id
- render :text => "foo: #{session[:foo].inspect}; id: #{request.session_options[:id]}"
+ session[:foo]
+ render :text => "#{request.session_options[:id]}"
end
def call_reset_session
+ session[:bar]
reset_session
+ session[:bar] = "baz"
head :ok
end
@@ -58,47 +61,52 @@ def test_getting_nil_session_value
end
end
- def test_getting_session_id
+ def test_setting_session_value_after_session_reset
with_test_route_set do
get '/set_session_value'
assert_response :success
assert cookies['_session_id']
session_id = cookies['_session_id']
- get '/get_session_id'
+ get '/call_reset_session'
assert_response :success
- assert_equal "foo: \"bar\"; id: #{session_id}", response.body
- end
- end
+ assert_not_equal [], headers['Set-Cookie']
- def test_prevents_session_fixation
- with_test_route_set do
get '/get_session_value'
assert_response :success
assert_equal 'foo: nil', response.body
- session_id = cookies['_session_id']
-
- reset!
- get '/set_session_value', :_session_id => session_id
+ get '/get_session_id'
assert_response :success
- assert_equal nil, cookies['_session_id']
+ assert_not_equal session_id, response.body
end
end
- def test_setting_session_value_after_session_reset
+ def test_getting_session_id
with_test_route_set do
get '/set_session_value'
assert_response :success
assert cookies['_session_id']
+ session_id = cookies['_session_id']
- get '/call_reset_session'
+ get '/get_session_id'
assert_response :success
- assert_not_equal [], headers['Set-Cookie']
+ assert_equal session_id, response.body
+ end
+ end
+ def test_prevents_session_fixation
+ with_test_route_set do
get '/get_session_value'
assert_response :success
assert_equal 'foo: nil', response.body
+ session_id = cookies['_session_id']
+
+ reset!
+
+ get '/set_session_value', :_session_id => session_id
+ assert_response :success
+ assert_equal nil, cookies['_session_id']
end
end
rescue LoadError, RuntimeError

3 comments on commit 224a534

@gaffo

Does this work with the test session?

@josh
Ruby on Rails member

The functional test’s session is just a mock and never get turns into a real session id or cookie.

@cch1

Gaffo's question is still pretty valid though. If #reset_session "should force a new session id" (and I agree it should) then it's natural to build on that functionality. And if it doesn't behave that way in tests, then things go awry.

Please sign in to comment.