reset session if env present, may be prevent for hijacking

[Gaurav2728]

cc @tenderlove Please review..!!

[rafaelfranca]

Could you explain better why this change is made?

[Gaurav2728]

Rails/Rack Session will expire when any env. should present. If request will come from any external source (CSRF/attackers) then we need to check env. where it is comming from. Like middleware_stack will respond according to ActionDispatch::Request.new env @rafaelfranca

[rafaelfranca]

I still don't get it, why we don't want to reset the session with a request? Is not env always present?

[Gaurav2728]

It'll reset the session when any env is available. I try to say session will reset for particular env where request is come from. Rails should response the request when --->

 if env.present?
   Http::Headers.from_hash(request_env).merge!(env)
end

But request will come from proxy --->

Rack::Request.new(RAILS_ENV=nil, RACK_ENV =nil)

[rafaelfranca]

Could you create a test case to demonstrate the issue that this code is
fixing?

On Tue, Sep 1, 2015, 05:22 Gaurav Sharma notifications@github.com wrote:

It'll reset the session when any env is available. I try to say session
will reset for particular env where request is come from. Rails should
response the request when --->

if env.present?
Http::Headers.from_hash(request_env).merge!(env)
end

But request will come from proxy --->

Rack::Request.new(RAILS_ENV=nil, RACK_ENV =nil)

—
Reply to this email directly or view it on GitHub
#21388 (comment).

[Gaurav2728]

@rafaelfranca i wrote the test case but WARNING: env is deprecated and will be removed from Rails 5.0 So this change NO longer needed. Thanks for your response. 😄