Permalink
Browse files

Cookie session store: ensure that new sessions doesn't reuse data fro…

…m a deleted session in the same request.

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@6424 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
  • Loading branch information...
1 parent 1f02271 commit bbcfb9b625c4ed471fcf7c827b700ccb025e7dd9 @jeremy jeremy committed Mar 14, 2007
View
@@ -1,5 +1,7 @@
*SVN*
+* Cookie session store: ensure that new sessions doesn't reuse data from a deleted session in the same request. [Jeremy Kemper]
+
* Deprecation: verification with :redirect_to => :named_route shouldn't be deprecated. #7525 [Justin French]
* Cookie session store: raise ArgumentError when :session_key is blank. [Jeremy Kemper]
@@ -96,6 +96,7 @@ def close
# Delete the session data by setting an expired cookie with no data.
def delete
@data = nil
+ clear_old_cookie_value
write_cookie('value' => '', 'expires' => 1.year.ago)
end
@@ -134,4 +135,9 @@ def write_cookie(options)
cookie = CGI::Cookie.new(@cookie_options.merge(options))
@session.cgi.send :instance_variable_set, '@output_cookies', [cookie]
end
+
+ # Clear cookie value so subsequent new_session doesn't reload old data.
+ def clear_old_cookie_value
+ @session.cgi.cookies[@cookie_options['name']].clear
+ end
end
@@ -135,6 +135,19 @@ def test_delete_writes_expired_empty_cookie_and_sets_data_to_nil
end
end
+ def test_new_session_doesnt_reuse_deleted_cookie_data
+ set_cookie! cookie_value(:typical)
+
+ new_session do |session|
+ assert_not_nil session['user_id']
+ session.delete
+
+ # Start a new session using the same CGI instance.
+ post_delete_session = CGI::Session.new(session.cgi, self.class.default_session_options)
+ assert_nil post_delete_session['user_id']
+ end
+ end
+
private
def assert_no_cookies(session)
assert_nil session.cgi.output_cookies, session.cgi.output_cookies.inspect

0 comments on commit bbcfb9b

Please sign in to comment.