Permalink
Browse files

New integrations tests for #2016 - Fix for session ID fixation issue in

ActiveRecord::SessionStore

These new tests make sure that an invalid session ID is never
materialized into a new session, regardless of whether it comes in via a
cookie or a URL parameter (when :cookie_only => false).
  • Loading branch information...
1 parent fa3c0e4 commit d0e2340eea9e03b58fed398204c6b635c0a59878 @jhtwong jhtwong committed Jul 8, 2011
Showing with 31 additions and 0 deletions.
  1. +31 −0 actionpack/test/activerecord/active_record_store_test.rb
@@ -225,6 +225,36 @@ def test_allows_session_fixation
assert_equal session_id, cookies['_session_id']
end
end
+
+ def test_incoming_invalid_session_id_via_cookie_should_be_ignored
+ with_test_route_set do
+ open_session do |sess|
+ sess.cookies['_session_id'] = 'INVALID'
+
+ sess.get '/set_session_value'
+ new_session_id = sess.cookies['_session_id']
+ assert_not_equal 'INVALID', new_session_id
+
+ sess.get '/get_session_value'
+ new_session_id_2 = sess.cookies['_session_id']
+ assert_equal new_session_id, new_session_id_2
+ end
+ end
+ end
+
+ def test_incoming_invalid_session_id_via_parameter_should_be_ignored
+ with_test_route_set(:cookie_only => false) do
+ open_session do |sess|
+ sess.get '/set_session_value', :_session_id => 'INVALID'
+ new_session_id = sess.cookies['_session_id']
+ assert_not_equal 'INVALID', new_session_id
+
+ sess.get '/get_session_value'
+ new_session_id_2 = sess.cookies['_session_id']
+ assert_equal new_session_id, new_session_id_2
+ end
+ end
+ end
private
@@ -247,6 +277,7 @@ def with_store(class_name)
session_class, ActiveRecord::SessionStore.session_class =
ActiveRecord::SessionStore.session_class, "ActiveRecord::SessionStore::#{class_name.camelize}".constantize
yield
+ ensure
ActiveRecord::SessionStore.session_class = session_class
end
end

0 comments on commit d0e2340

Please sign in to comment.