Permalink
Browse files

Make sure that Rails doesn't resent session_id cookie over and over a…

…gain if it's already there [#2485 state:resolved]

This apply to only Active Record store and Memcached store, as they both store only the session_id, which will be unchanged, in the cookie.

Signed-off-by: José Valim <jose.valim@gmail.com>
  • Loading branch information...
1 parent a12b76b commit 617e94658ddc3f71c42fc4f8c2346f87ff106bbe @sikachu sikachu committed with josevalim Jun 24, 2010
@@ -196,7 +196,9 @@ def generate_sid
end
def set_cookie(request, options)
- request.cookie_jar[@key] = options
+ if request.cookie_jar[@key] != options[:value] || !options[:expires].nil?
+ request.cookie_jar[@key] = options
+ end
end
def load_session(env)
@@ -136,6 +136,18 @@ def test_getting_session_id
end
end
+ def test_doesnt_write_session_cookie_if_session_id_is_already_exists
+ with_test_route_set do
+ get '/set_session_value'
+ assert_response :success
+ assert cookies['_session_id']
+
+ get '/get_session_value'
+ assert_response :success
+ assert_equal nil, headers['Set-Cookie'], "should not resend the cookie again if session_id cookie is already exists"
+ end
+ end
+
def test_prevents_session_fixation
with_test_route_set do
get '/set_session_value'
@@ -117,6 +117,18 @@ def test_getting_session_id
end
end
+ def test_doesnt_write_session_cookie_if_session_id_is_already_exists
+ with_test_route_set do
+ get '/set_session_value'
+ assert_response :success
+ assert cookies['_session_id']
+
+ get '/get_session_value'
+ assert_response :success
+ assert_equal nil, headers['Set-Cookie'], "should not resend the cookie again if session_id cookie is already exists"
+ end
+ end
+
def test_prevents_session_fixation
with_test_route_set do
get '/get_session_value'

0 comments on commit 617e946

Please sign in to comment.