Calling reset_session inside of a controller with a NullSessionHash raises a nil exception.

[jbaudanza]

For example:

class FoobarsController < ApplicationController
  protect_from_forgery :with => :null_session

  # Posting to this action with an invalid authenticity token will raise an exception.
  def create
    reset_session
  end
end

Raising the following:

NoMethodError: undefined method `destroy_session' for nil:NilClass
    /Users/jon/.rvm/gems/ruby-1.9.2-p180/gems/rack-1.5.2/lib/rack/session/abstract/id.rb:85:in `destroy'
    /Users/jon/work/rails/actionpack/lib/action_dispatch/http/request.rb:257:in `reset_session'
    /Users/jon/work/rails/actionpack/lib/action_controller/metal/rack_delegation.rb:22:in `reset_session'
    /Users/jon/work/rails/actionpack/test/controller/request_forgery_protection_test.rb:83:in `try_to_reset_session'
    /Users/jon/work/rails/actionpack/lib/action_controller/metal/implicit_render.rb:4:in `send_action'

I've included a simple fix and a test case.

[algorithmcardboard]

Hi, I ran into the same issue. Is there any workaround for this issue?

[dmathieu]

@rajegannathan: the clean workaround would be to upgrade to 4.1.0.
Since it's still in beta, you might not be able to do so. In which case, you should be able to create a quick monkey-patch fixing this in a lower version.

[algorithmcardboard]

I am planning to use 4.0.1 in production system. So how exactly can I monkey patch this issue?

[dmathieu]

This PR adds a method on a class. Just reopen the class and add the same method.

[jbaudanza]

@rajegannathan Depending on your situation, you may be able to just remove the :protect_from_forgery filter from the relevant action. See my note to jhilden above.

[bradobro]

It might work to change protect_from_forgery's strategy to 'with: :reset_session'